Windows Analysis Report
SoftWare(1).exe

Overview

General Information

Sample name: SoftWare(1).exe
Analysis ID: 1532889
MD5: 3adc9c7905f10b8c2c0b0bb7826b67a2
SHA1: e7861a02d2beac0caa3c00eb11a1b84fb54437db
SHA256: 60035aa91fc8436120e0d471f046a14fd45191f5ad56bef0bb3c7688c8f0d1ad
Tags: exeuser-4k95m
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SoftWare(1).exe Avira: detected
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Found malware configuration
Source: 0.2.SoftWare(1).exe.6cf74000.5.raw.unpack Malware Configuration Extractor: LummaC {"C2 url": ["enlargkiw.sbs", "allocatinow.sbs", "ehticsprocw.sbs", "drawwyobstacw.sbs", "vennurviot.sbs", "condifendteu.sbs", "resinedyw.sbs", "passimovrt.cfd", "mathcucom.sbs"], "Build id": "HpOoIh--@XXXXrty052"}
Multi AV Scanner detection for domain / URL
Source: condifendteu.sbs Virustotal: Detection: 17% Perma Link
Source: vennurviot.sbs Virustotal: Detection: 17% Perma Link
Source: drawwyobstacw.sbs Virustotal: Detection: 17% Perma Link
Source: mathcucom.sbs Virustotal: Detection: 20% Perma Link
Source: sergei-esenin.com Virustotal: Detection: 17% Perma Link
Source: resinedyw.sbs Virustotal: Detection: 17% Perma Link
Source: enlargkiw.sbs Virustotal: Detection: 17% Perma Link
Source: ehticsprocw.sbs Virustotal: Detection: 15% Perma Link
Source: allocatinow.sbs Virustotal: Detection: 19% Perma Link
Source: https://mathcucom.sbs/g Virustotal: Detection: 18% Perma Link
Source: enlargkiw.sbs Virustotal: Detection: 17% Perma Link
Source: drawwyobstacw.sbs Virustotal: Detection: 17% Perma Link
Source: https://vennurviot.sbs/ Virustotal: Detection: 17% Perma Link
Source: mathcucom.sbs Virustotal: Detection: 20% Perma Link
Source: ehticsprocw.sbs Virustotal: Detection: 15% Perma Link
Source: allocatinow.sbs Virustotal: Detection: 19% Perma Link
Source: https://mathcucom.sbs/ Virustotal: Detection: 20% Perma Link
Source: condifendteu.sbs Virustotal: Detection: 17% Perma Link
Source: https://drawwyobstacw.sbs/api Virustotal: Detection: 17% Perma Link
Source: https://allocatinow.sbs/api Virustotal: Detection: 19% Perma Link
Source: https://vennurviot.sbs/api Virustotal: Detection: 17% Perma Link
Multi AV Scanner detection for submitted file
Source: SoftWare(1).exe ReversingLabs: Detection: 21%
Source: SoftWare(1).exe Virustotal: Detection: 32% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\msvcp110.dll Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SoftWare(1).exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp String decryptor: drawwyobstacw.sbs
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp String decryptor: condifendteu.sbs
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp String decryptor: ehticsprocw.sbs
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp String decryptor: vennurviot.sbs
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp String decryptor: resinedyw.sbs
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp String decryptor: enlargkiw.sbs
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp String decryptor: allocatinow.sbs
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp String decryptor: mathcucom.sbs
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp String decryptor: passimovrt.cfd
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000002.00000002.1972487759.0000000000595000.00000002.00000400.00020000.00000000.sdmp String decryptor: HpOoIh--@XXXXrty052
Uses 32bit PE files
Source: SoftWare(1).exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.28.222:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.152.13:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.205.156:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.46.170:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.30.221:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.141.136:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: SoftWare(1).exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF6556D FindFirstFileExW, 0_2_6CF6556D
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then lea eax, dword ptr [esp+70h] 2_2_0058A429
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then push ebx 2_2_0058A429
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp ecx 2_2_0059162C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx esi, byte ptr [esp+edx-48088AD6h] 2_2_00590730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3402AD93h] 2_2_005909FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 27BAF212h 2_2_005909FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 4E7D7006h 2_2_00590A8B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], C274D4CAh 2_2_00590DDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-62528225h] 2_2_0055CE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [eax], bl 2_2_00561048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp eax 2_2_00574030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 2_2_0057E030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, ebx 2_2_0058A0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx edx, byte ptr [eax+esi] 2_2_00593090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov dword ptr [0059EA1Ch], esi 2_2_0055E104
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ebp, byte ptr [esp+edx] 2_2_005921C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then push 754C8FBDh 2_2_0055E259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h 2_2_00594220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [eax+ebx], 00000030h 2_2_005512D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov ecx, eax 2_2_0055D340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov ebx, dword ptr [esp] 2_2_00579467
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx edx, byte ptr [eax+esi] 2_2_00593430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edx, eax 2_2_005764CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov word ptr [ecx], dx 2_2_0057C486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 07E776F1h 2_2_0057D541
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 2_2_0058C540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+27DA70DAh] 2_2_0057B525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ebp-21358888h] 2_2_0055D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edi, esi 2_2_0055D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov word ptr [ecx], dx 2_2_0057C486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, ebx 2_2_005776D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp al, 2Eh 2_2_0057A68D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 2_2_005876A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ebp, byte ptr [esp+esi+3Ch] 2_2_005606AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h 2_2_0057074A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov word ptr [eax], cx 2_2_0057074A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [ebx], cl 2_2_0057F776
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [ebx], al 2_2_0057F776
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edi, ecx 2_2_0057F776
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edx, ecx 2_2_0057872C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [ebx], dl 2_2_0057E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [ebx], cl 2_2_0057E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [ebx], cl 2_2_0057E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [ebx], al 2_2_0057E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edi, ecx 2_2_0057E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp eax 2_2_0057C811
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then push ebx 2_2_0056E8F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 2_2_00555880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov word ptr [eax], cx 2_2_0055E919
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx+48h] 2_2_005739D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 2_2_0057DA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov ecx, dword ptr [edi+eax] 2_2_0057AB6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov word ptr [ebp+00h], ax 2_2_00570B10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx esi, byte ptr [edx] 2_2_0058DB90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov word ptr [eax], cx 2_2_00575B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ecx, byte ptr [edx+ebx-5Ah] 2_2_00592B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp ecx 2_2_00592B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx edx, byte ptr [eax+esi] 2_2_00592B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax-00000093h] 2_2_00594C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 07E776F1h 2_2_0058AC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ebx, byte ptr [esi+ecx-3EFFFBA8h] 2_2_00577CE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ebx, word ptr [ecx] 2_2_00577CE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov dl, 01h 2_2_00577CE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edx, ecx 2_2_00577CE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx edi, byte ptr [eax+esi] 2_2_00556C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], C85F7986h 2_2_00580D01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ecx, word ptr [edi+eax] 2_2_00591E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+373A3ECEh] 2_2_0056EEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp di, 005Ch 2_2_0056EEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov ecx, eax 2_2_0056EEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then push edi 2_2_00590EE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], C85F7986h 2_2_00580E87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx edx, byte ptr [eax+esi] 2_2_00592EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx-05h] 2_2_00576F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-0F9FE973h] 2_2_00576F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov ecx, eax 2_2_00576F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], C85F7986h 2_2_00580FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ebp, byte ptr [esp+esi-2Fh] 2_2_00589FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edx, ecx 2_2_0057AFE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx edx, byte ptr [eax+esi] 2_2_00592F90

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056562 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs) : 192.168.2.4:60410 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056566 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs) : 192.168.2.4:61779 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056568 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs) : 192.168.2.4:51466 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056560 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs) : 192.168.2.4:51139 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056564 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs) : 192.168.2.4:63820 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056570 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs) : 192.168.2.4:58982 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056561 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI) : 192.168.2.4:49735 -> 104.21.30.221:443
Source: Network traffic Suricata IDS: 2056565 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI) : 192.168.2.4:49733 -> 172.67.205.156:443
Source: Network traffic Suricata IDS: 2056563 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI) : 192.168.2.4:49734 -> 104.21.46.170:443
Source: Network traffic Suricata IDS: 2056559 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI) : 192.168.2.4:49736 -> 172.67.141.136:443
Source: Network traffic Suricata IDS: 2056556 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs) : 192.168.2.4:49533 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056558 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs) : 192.168.2.4:55368 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056557 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI) : 192.168.2.4:49737 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2056567 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI) : 192.168.2.4:49732 -> 172.67.152.13:443
Source: Network traffic Suricata IDS: 2056571 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI) : 192.168.2.4:49731 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49735 -> 104.21.30.221:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49735 -> 104.21.30.221:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 172.67.141.136:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 172.67.141.136:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49733 -> 172.67.205.156:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 172.67.205.156:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.28.222:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.28.222:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49732 -> 172.67.152.13:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 172.67.152.13:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49737 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49738 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49734 -> 104.21.46.170:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49734 -> 104.21.46.170:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49739 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49739 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49740 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49740 -> 104.21.53.8:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: enlargkiw.sbs
Source: Malware configuration extractor URLs: allocatinow.sbs
Source: Malware configuration extractor URLs: ehticsprocw.sbs
Source: Malware configuration extractor URLs: drawwyobstacw.sbs
Source: Malware configuration extractor URLs: vennurviot.sbs
Source: Malware configuration extractor URLs: condifendteu.sbs
Source: Malware configuration extractor URLs: resinedyw.sbs
Source: Malware configuration extractor URLs: passimovrt.cfd
Source: Malware configuration extractor URLs: mathcucom.sbs
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: passimovrt.cfd
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mathcucom.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: enlargkiw.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: resinedyw.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vennurviot.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ehticsprocw.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condifendteu.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawwyobstacw.sbs
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=1XYT51TuC4g_X2vBeD8OSXAP7fq2lr4kj4ls6Z9CPMI-1728874871-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 85Host: sergei-esenin.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: passimovrt.cfd
Source: global traffic DNS traffic detected: DNS query: mathcucom.sbs
Source: global traffic DNS traffic detected: DNS query: allocatinow.sbs
Source: global traffic DNS traffic detected: DNS query: enlargkiw.sbs
Source: global traffic DNS traffic detected: DNS query: resinedyw.sbs
Source: global traffic DNS traffic detected: DNS query: vennurviot.sbs
Source: global traffic DNS traffic detected: DNS query: ehticsprocw.sbs
Source: global traffic DNS traffic detected: DNS query: condifendteu.sbs
Source: global traffic DNS traffic detected: DNS query: drawwyobstacw.sbs
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: passimovrt.cfd
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.5.dr String found in binary or memory: http://upx.sf.net
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: aspnet_regiis.exe, 00000002.00000003.1696321945.0000000002975000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allocatinow.sbs/
Source: aspnet_regiis.exe, 00000002.00000003.1696271584.0000000002955000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696321945.0000000002975000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allocatinow.sbs/api
Source: aspnet_regiis.exe, 00000002.00000003.1696132514.0000000002953000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696271584.0000000002955000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696321945.0000000002975000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allocatinow.sbs/apir
Source: aspnet_regiis.exe, 00000002.00000003.1696132514.0000000002953000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696271584.0000000002955000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696321945.0000000002975000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://allocatinow.sbs/pi
Source: aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.a#h
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
Source: aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PA
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=engliHh
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e
Source: aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamehY
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: aspnet_regiis.exe, 00000002.00000003.1696132514.0000000002953000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1695896940.000000000293E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696271584.0000000002955000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696321945.0000000002975000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1695896940.0000000002953000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mathcucom.sbs/
Source: aspnet_regiis.exe, 00000002.00000003.1695896940.0000000002953000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mathcucom.sbs/api
Source: aspnet_regiis.exe, 00000002.00000003.1696132514.0000000002953000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696271584.0000000002955000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696321945.0000000002975000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1695896940.0000000002953000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mathcucom.sbs/api2
Source: aspnet_regiis.exe, 00000002.00000003.1695896940.0000000002953000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mathcucom.sbs/apiPy
Source: aspnet_regiis.exe, 00000002.00000003.1695896940.0000000002953000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mathcucom.sbs/apiq#V
Source: aspnet_regiis.exe, 00000002.00000003.1695896940.0000000002953000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mathcucom.sbs/g
Source: aspnet_regiis.exe, 00000002.00000003.1695896940.0000000002953000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mathcucom.sbs/y#W
Source: aspnet_regiis.exe, 00000002.00000003.1695896940.000000000293E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696132514.0000000002947000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://passimovrt.cfd/
Source: aspnet_regiis.exe, 00000002.00000002.1972630357.000000000292C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://passimovrt.cfd/api
Source: aspnet_regiis.exe, 00000002.00000003.1715514677.0000000002955000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://resinedyw.sbs/
Source: aspnet_regiis.exe, 00000002.00000003.1715514677.0000000002955000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://resinedyw.sbs/api
Source: aspnet_regiis.exe, 00000002.00000003.1715514677.0000000002955000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://resinedyw.sbs/apiq#V
Source: aspnet_regiis.exe, 00000002.00000003.1715514677.0000000002955000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://resinedyw.sbs:443/api
Source: aspnet_regiis.exe, 00000002.00000002.1972630357.0000000002918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: aspnet_regiis.exe, 00000002.00000003.1715514677.0000000002955000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vennurviot.sbs/
Source: aspnet_regiis.exe, 00000002.00000003.1715514677.0000000002955000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vennurviot.sbs/&
Source: aspnet_regiis.exe, 00000002.00000003.1715514677.0000000002955000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vennurviot.sbs/api
Source: aspnet_regiis.exe, 00000002.00000003.1780094391.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029D3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780094391.00000000029B8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: aspnet_regiis.exe, 00000002.00000003.1780251283.00000000029B9000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1780094391.00000000029B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-man2
Source: aspnet_regiis.exe, 00000002.00000003.1780094391.00000000029B2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1779136143.00000000029AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: aspnet_regiis.exe, 00000002.00000003.1779034737.00000000029DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 104.21.28.222:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.152.13:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.205.156:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.46.170:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.30.221:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.141.136:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49740 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00584BE0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 2_2_00584BE0
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00584BE0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 2_2_00584BE0
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00584D70 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt, 2_2_00584D70

System Summary
barindex
PE file contains section with special chars
Source: SoftWare(1).exe Static PE information: section name: 'H{_AE
PE file has nameless sections
Source: SoftWare(1).exe Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF4BEA0 GetModuleHandleW,NtQueryInformationProcess, 0_2_6CF4BEA0
Detected potential crypto function
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF4C4F0 0_2_6CF4C4F0
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF4A540 0_2_6CF4A540
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF4BEA0 0_2_6CF4BEA0
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF550D0 0_2_6CF550D0
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF5C4B0 0_2_6CF5C4B0
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF464A0 0_2_6CF464A0
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF56490 0_2_6CF56490
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF59880 0_2_6CF59880
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF58C60 0_2_6CF58C60
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF5E440 0_2_6CF5E440
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF56040 0_2_6CF56040
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF5AC30 0_2_6CF5AC30
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF59000 0_2_6CF59000
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF54DC0 0_2_6CF54DC0
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF6B997 0_2_6CF6B997
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF58930 0_2_6CF58930
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF5C110 0_2_6CF5C110
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF592F0 0_2_6CF592F0
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF452C0 0_2_6CF452C0
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF542C0 0_2_6CF542C0
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF57EB0 0_2_6CF57EB0
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF59E90 0_2_6CF59E90
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF55E30 0_2_6CF55E30
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF5AFD0 0_2_6CF5AFD0
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF58390 0_2_6CF58390
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF5EB60 0_2_6CF5EB60
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF56F40 0_2_6CF56F40
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF5D330 0_2_6CF5D330
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF5B710 0_2_6CF5B710
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF57B00 0_2_6CF57B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0058A429 2_2_0058A429
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0059162C 2_2_0059162C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00560B70 2_2_00560B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0055ECA0 2_2_0055ECA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0058AD60 2_2_0058AD60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0055CE80 2_2_0055CE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00561048 2_2_00561048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00551000 2_2_00551000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0057E030 2_2_0057E030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0055B0F0 2_2_0055B0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00593090 2_2_00593090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_005881CE 2_2_005881CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_005921C0 2_2_005921C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_005512D5 2_2_005512D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00594340 2_2_00594340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00571360 2_2_00571360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0056E323 2_2_0056E323
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0055132D 2_2_0055132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00579467 2_2_00579467
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00593430 2_2_00593430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_005764CB 2_2_005764CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00572480 2_2_00572480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0057B525 2_2_0057B525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00594600 2_2_00594600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0057560E 2_2_0057560E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_005776D0 2_2_005776D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_005926E0 2_2_005926E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0057A68D 2_2_0057A68D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0057F776 2_2_0057F776
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00580728 2_2_00580728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0057E850 2_2_0057E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00589820 2_2_00589820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0057C8D7 2_2_0057C8D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_005598DE 2_2_005598DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_005538E0 2_2_005538E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0055C950 2_2_0055C950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0058E900 2_2_0058E900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00594900 2_2_00594900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_005739D0 2_2_005739D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_005579E0 2_2_005579E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0058A9E0 2_2_0058A9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0057BB50 2_2_0057BB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0057AB6E 2_2_0057AB6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00588B67 2_2_00588B67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00592B80 2_2_00592B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00582C70 2_2_00582C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0055AC60 2_2_0055AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00594C10 2_2_00594C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0055BC00 2_2_0055BC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00577CE3 2_2_00577CE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0056DC9E 2_2_0056DC9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00559C8C 2_2_00559C8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00571D70 2_2_00571D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0057CD60 2_2_0057CD60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00576D28 2_2_00576D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00558DC0 2_2_00558DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00579DA0 2_2_00579DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0056EEE0 2_2_0056EEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00582E80 2_2_00582E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00580E87 2_2_00580E87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00592EA0 2_2_00592EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00564F0C 2_2_00564F0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00576F20 2_2_00576F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00580FD0 2_2_00580FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00556FC0 2_2_00556FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00559FC0 2_2_00559FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0057AFE3 2_2_0057AFE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00592F90 2_2_00592F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_00554FA0 2_2_00554FA0
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: String function: 0055DF80 appears 217 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: String function: 0055C740 appears 62 times
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: String function: 6CF5F800 appears 33 times
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 280 -s 1724
Sample file is different than original file name gathered from version info
Source: SoftWare(1).exe, 00000000.00000002.1682123078.00000000013BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SoftWare(1).exe
Source: SoftWare(1).exe Binary or memory string: OriginalFilenameVioletTrumpAmerica176Zachary.uPIH vs SoftWare(1).exe
Uses 32bit PE files
Source: SoftWare(1).exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SoftWare(1).exe Static PE information: Section: 'H{_AE ZLIB complexity 1.0003328476688103
Source: classification engine Classification label: mal100.troj.evad.winEXE@5/7@11/9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_0058A260 CoCreateInstance, 2_2_0058A260
Source: C:\Users\user\Desktop\SoftWare(1).exe File created: C:\Users\user\AppData\Roaming\msvcp110.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess280
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5316:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c2971479-67ca-4e2c-9d71-3fc063496a05 Jump to behavior
Source: SoftWare(1).exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\SoftWare(1).exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SoftWare(1).exe ReversingLabs: Detection: 21%
Source: SoftWare(1).exe Virustotal: Detection: 32%
Source: unknown Process created: C:\Users\user\Desktop\SoftWare(1).exe "C:\Users\user\Desktop\SoftWare(1).exe"
Source: C:\Users\user\Desktop\SoftWare(1).exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SoftWare(1).exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 280 -s 1724
Source: C:\Users\user\Desktop\SoftWare(1).exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: SoftWare(1).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SoftWare(1).exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\SoftWare(1).exe Unpacked PE file: 0.2.SoftWare(1).exe.dd0000.0.unpack 'H{_AE:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
PE file contains sections with non-standard names
Source: SoftWare(1).exe Static PE information: section name: 'H{_AE
Source: SoftWare(1).exe Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_00E1C9EE pushad ; ret 0_2_00E1C9EF
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_00E1C6C8 push esi; ret 0_2_00E1C6D8
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_00E20F38 push ss; ret 0_2_00E20F58
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF6C0B1 push ecx; ret 0_2_6CF6C0C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_005692E2 push esp; retf 2_2_005692E5
Source: SoftWare(1).exe Static PE information: section name: 'H{_AE entropy: 7.999398017019204
Drops PE files
Source: C:\Users\user\Desktop\SoftWare(1).exe File created: C:\Users\user\AppData\Roaming\msvcp110.dll Jump to dropped file
Source: C:\Users\user\Desktop\SoftWare(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SoftWare(1).exe Memory allocated: 2F60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Memory allocated: 30D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Memory allocated: 50D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Memory allocated: 5740000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Memory allocated: 6740000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Memory allocated: 6870000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Memory allocated: 7870000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Memory allocated: 7C00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Memory allocated: 8C00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Memory allocated: 9C00000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SoftWare(1).exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SoftWare(1).exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\msvcp110.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SoftWare(1).exe TID: 2000 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 2892 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF6556D FindFirstFileExW, 0_2_6CF6556D
Source: C:\Users\user\Desktop\SoftWare(1).exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Amcache.hve.5.dr Binary or memory string: VMware
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: aspnet_regiis.exe, 00000002.00000002.1972630357.000000000292C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696132514.0000000002953000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1715514677.0000000002955000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1972630357.0000000002953000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1696271584.0000000002955000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1695896940.0000000002953000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 2_2_005907F0 LdrInitializeThunk, 2_2_005907F0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF5F682 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CF5F682
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF66C90 GetProcessHeap, 0_2_6CF66C90
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF5F157 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6CF5F157
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF5F682 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CF5F682
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF6361C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CF6361C
Source: C:\Users\user\Desktop\SoftWare(1).exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\SoftWare(1).exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 550000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF4C4F0 GetGameData,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,Wow64GetThreadContext,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 0_2_6CF4C4F0
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF4C4F0 GetGameData,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,Wow64GetThreadContext,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 0_2_6CF4C4F0
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SoftWare(1).exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 550000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: SoftWare(1).exe, 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmp String found in binary or memory: drawwyobstacw.sbs
Source: SoftWare(1).exe, 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmp String found in binary or memory: condifendteu.sbs
Source: SoftWare(1).exe, 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmp String found in binary or memory: ehticsprocw.sbs
Source: SoftWare(1).exe, 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmp String found in binary or memory: vennurviot.sbs
Source: SoftWare(1).exe, 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmp String found in binary or memory: resinedyw.sbs
Source: SoftWare(1).exe, 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmp String found in binary or memory: enlargkiw.sbs
Source: SoftWare(1).exe, 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmp String found in binary or memory: allocatinow.sbs
Source: SoftWare(1).exe, 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmp String found in binary or memory: mathcucom.sbs
Source: SoftWare(1).exe, 00000000.00000002.1693581576.000000006CF74000.00000004.00000001.01000000.00000007.sdmp String found in binary or memory: passimovrt.cfd
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SoftWare(1).exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 550000 Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 551000 Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 595000 Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 598000 Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 5A8000 Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 272A008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SoftWare(1).exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF5F848 cpuid 0_2_6CF5F848
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SoftWare(1).exe Queries volume information: C:\Users\user\Desktop\SoftWare(1).exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe Code function: 0_2_6CF5F2CB GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6CF5F2CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.5.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532889 Sample: SoftWare(1).exe Startdate: 14/10/2024 Architecture: WINDOWS Score: 100 23 vennurviot.sbs 2->23 25 steamcommunity.com 2->25 27 9 other IPs or domains 2->27 35 Multi AV Scanner detection for domain / URL 2->35 37 Suricata IDS alerts for network traffic 2->37 39 Found malware configuration 2->39 41 11 other signatures 2->41 8 SoftWare(1).exe 3 2->8         started        signatures3 process4 file5 19 C:\Users\user\AppData\Roaming\msvcp110.dll, PE32 8->19 dropped 21 C:\Users\user\AppData\...\SoftWare(1).exe.log, ASCII 8->21 dropped 43 Detected unpacking (changes PE section rights) 8->43 45 Contains functionality to inject threads in other processes 8->45 47 Contains functionality to inject code into remote processes 8->47 49 4 other signatures 8->49 12 aspnet_regiis.exe 8->12         started        15 conhost.exe 8->15         started        signatures6 process7 dnsIp8 29 passimovrt.cfd 104.21.28.222, 443, 49730 CLOUDFLARENETUS United States 12->29 31 ehticsprocw.sbs 104.21.30.221, 443, 49735 CLOUDFLARENETUS United States 12->31 33 7 other IPs or domains 12->33 17 WerFault.exe 22 16 12->17         started        process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.53.8
 sergei-esenin.com United States
13335 CLOUDFLARENETUS true
188.114.96.3
 drawwyobstacw.sbs European Union
13335 CLOUDFLARENETUS true
172.67.152.13
 enlargkiw.sbs United States
13335 CLOUDFLARENETUS true
104.21.30.221
 ehticsprocw.sbs United States
13335 CLOUDFLARENETUS true
172.67.141.136
 condifendteu.sbs United States
13335 CLOUDFLARENETUS true
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS true
104.21.28.222
 passimovrt.cfd United States
13335 CLOUDFLARENETUS true
172.67.205.156
 resinedyw.sbs United States
13335 CLOUDFLARENETUS true
104.21.46.170
 vennurviot.sbs United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
condifendteu.sbs 172.67.141.136 true
steamcommunity.com 104.102.49.254 true
vennurviot.sbs 104.21.46.170 true
drawwyobstacw.sbs 188.114.96.3 true
mathcucom.sbs 188.114.96.3 true
sergei-esenin.com 104.21.53.8 true
passimovrt.cfd 104.21.28.222 true
ehticsprocw.sbs 104.21.30.221 true
resinedyw.sbs 172.67.205.156 true
enlargkiw.sbs 172.67.152.13 true
allocatinow.sbs unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
enlargkiw.sbs true unknown
allocatinow.sbs true unknown
drawwyobstacw.sbs true unknown
mathcucom.sbs true unknown
https://steamcommunity.com/profiles/76561199724331900 true
  • URL Reputation: malware
 unknown
https://vennurviot.sbs/api true unknown
ehticsprocw.sbs true unknown
passimovrt.cfd true unknown
condifendteu.sbs true unknown
https://drawwyobstacw.sbs/api true unknown
https://resinedyw.sbs/api true
    		unknown
    https://passimovrt.cfd/api true
      		unknown
      https://mathcucom.sbs/api true
        		unknown
        resinedyw.sbs true
          		unknown
          vennurviot.sbs true
            		unknown
            https://condifendteu.sbs/api true
              		unknown
              https://enlargkiw.sbs/api true
                		unknown