Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe

Overview

General Information

Sample name:17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe
Analysis ID:1543223
MD5:41eb06f85e275528a2142cf18db54a72
SHA1:04323cbc574d9e0c59c3bf8a66a3d56ce560a0a5
SHA256:28ebd01d6b6e06f3eee9fff5807523db8d0d5e37f30a520c10e862cabc6c3553
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

LummaC
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Detected potential crypto function
One or more processes crash
PE file does not import any functions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
{"C2 url": ["presticitpo.store", "founpiuer.store", "fadehairucw.store", "withdrwblon.cyou", "crisiwarny.store", "thumbystriw.store", "necklacedmny.store", "scriptyprefej.store", "navygenerayk.store"], "Build id": "HpOoIh--@topgcr"}
SourceRuleDescriptionAuthorStrings
decrypted.binstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security
    No Sigma rule has matched
    No Suricata rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeMalware Configuration Extractor: LummaC {"C2 url": ["presticitpo.store", "founpiuer.store", "fadehairucw.store", "withdrwblon.cyou", "crisiwarny.store", "thumbystriw.store", "necklacedmny.store", "scriptyprefej.store", "navygenerayk.store"], "Build id": "HpOoIh--@topgcr"}
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeReversingLabs: Detection: 23%
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeJoe Sandbox ML: detected
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeString decryptor: scriptyprefej.store
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeString decryptor: navygenerayk.store
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeString decryptor: founpiuer.store
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeString decryptor: necklacedmny.store
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeString decryptor: thumbystriw.store
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeString decryptor: fadehairucw.store
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeString decryptor: crisiwarny.store
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeString decryptor: presticitpo.store
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeString decryptor: withdrwblon.cyou
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeString decryptor: lid=%s&j=%s&ver=4.0
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeString decryptor: TeslaBrowser/5.5
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeString decryptor: - Screen Resoluton:
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeString decryptor: - Physical Installed Memory:
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeString decryptor: Workgroup: -
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeString decryptor: HpOoIh--@topgcr
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Networking

    barindex
    Source: Malware configuration extractorURLs: presticitpo.store
    Source: Malware configuration extractorURLs: founpiuer.store
    Source: Malware configuration extractorURLs: fadehairucw.store
    Source: Malware configuration extractorURLs: withdrwblon.cyou
    Source: Malware configuration extractorURLs: crisiwarny.store
    Source: Malware configuration extractorURLs: thumbystriw.store
    Source: Malware configuration extractorURLs: necklacedmny.store
    Source: Malware configuration extractorURLs: scriptyprefej.store
    Source: Malware configuration extractorURLs: navygenerayk.store
    Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
    Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeCode function: 0_2_004072DD0_2_004072DD
    Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeCode function: 0_2_004073060_2_00407306
    Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeCode function: 0_2_0040C90C0_2_0040C90C
    Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeCode function: 0_2_004073150_2_00407315
    Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeCode function: 0_2_0040B1890_2_0040B189
    Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeCode function: 0_2_0040D3A70_2_0040D3A7
    Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 224
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeStatic PE information: No import functions for PE file found
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: classification engineClassification label: mal84.troj.evad.winEXE@2/5@0/0
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3500
    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\8eeaae2e-5d5b-4e00-a439-2bcbfb9a07c1Jump to behavior
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeReversingLabs: Detection: 23%
    Source: unknownProcess created: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe "C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe"
    Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 224
    Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeCode function: 0_2_004114E4 push ebx; retf 0_2_004114E5
    Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeCode function: 0_2_00401525 push dword ptr [edx+eax-77h]; ret 0_2_0040152A
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: Amcache.hve.4.drBinary or memory string: VMware
    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
    Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
    Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
    Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
    Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
    Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
    Source: Amcache.hve.4.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
    Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
    Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
    Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: Amcache.hve.4.drBinary or memory string: vmci.sys
    Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
    Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
    Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.4.drBinary or memory string: VMware20,1
    Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
    Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
    Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
    Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
    Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
    Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
    Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
    Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
    Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
    Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exeProcess queried: DebugPortJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe, 00000000.00000000.2387998826.0000000000449000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: scriptyprefej.store
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe, 00000000.00000000.2387998826.0000000000449000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: navygenerayk.store
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe, 00000000.00000000.2387998826.0000000000449000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: founpiuer.store
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe, 00000000.00000000.2387998826.0000000000449000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: necklacedmny.store
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe, 00000000.00000000.2387998826.0000000000449000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: thumbystriw.store
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe, 00000000.00000000.2387998826.0000000000449000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: fadehairucw.store
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe, 00000000.00000000.2387998826.0000000000449000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: crisiwarny.store
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe, 00000000.00000000.2387998826.0000000000449000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: presticitpo.store
    Source: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe, 00000000.00000000.2387998826.0000000000449000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: withdrwblon.cyou
    Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
    Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
    Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
    Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
    Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: decrypted.binstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: decrypted.binstr, type: MEMORYSTR
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    PowerShell
    1
    DLL Side-Loading
    1
    Process Injection
    1
    Virtualization/Sandbox Evasion
    OS Credential Dumping21
    Security Software Discovery
    Remote Services1
    Archive Collected Data
    1
    Encrypted Channel
    Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading
    1
    Process Injection
    LSASS Memory1
    Virtualization/Sandbox Evasion
    Remote Desktop ProtocolData from Removable Media1
    Application Layer Protocol
    Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
    Deobfuscate/Decode Files or Information
    Security Account Manager1
    System Information Discovery
    SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    DLL Side-Loading
    NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Obfuscated Files or Information
    LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe24%ReversingLabs
    17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe100%Joe Sandbox ML
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    SourceDetectionScannerLabelLink
    http://upx.sf.net0%URL Reputationsafe
    No contacted domains info
    NameMaliciousAntivirus DetectionReputation
    presticitpo.storetrue
      unknown
      founpiuer.storetrue
        unknown
        scriptyprefej.storetrue
          unknown
          thumbystriw.storetrue
            unknown
            withdrwblon.cyoutrue
              unknown
              necklacedmny.storetrue
                unknown
                fadehairucw.storetrue
                  unknown
                  crisiwarny.storetrue
                    unknown
                    navygenerayk.storetrue
                      unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://upx.sf.netAmcache.hve.4.drfalse
                      • URL Reputation: safe
                      unknown
                      No contacted IP infos
                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1543223
                      Start date and time:2024-10-27 13:38:14 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 4m 28s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:7
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe
                      Detection:MAL
                      Classification:mal84.troj.evad.winEXE@2/5@0/0
                      EGA Information:Failed
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 11
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 20.42.65.92
                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe, PID 3500 because there are no executed function
                      • VT rate limit hit for: 17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe
                      TimeTypeDescription
                      08:39:38API Interceptor1x Sleep call for process: WerFault.exe modified
                      No context
                      No context
                      No context
                      No context
                      No context
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.7140136304563881
                      Encrypted:false
                      SSDEEP:384:eofouoV2WolNXfJoDoVjEzuiFaY4IO8SoSoL:BNXf3jEzuiFaY4IO8
                      MD5:CAF4835BFA63BD5BDD7EA844DD4CEEF3
                      SHA1:F4D2361752648AB6E9747FC9BFC005B33C71C787
                      SHA-256:4782D75897E200F0FF9A13A303401DF237B275C31FE38F950A752B6497BC39F5
                      SHA-512:8B7BBBB3ABFD9AA6F8EDD8DF4F35FBCF77325FABE1773AE5819F7E67A1B5A14DCEFA5A6CA2571C48A8333917DFEED5C9F47E60A656233BEC8BDFAAC233201057
                      Malicious:false
                      Reputation:low
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.5.0.6.3.7.5.7.2.0.5.5.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.5.0.6.3.7.6.0.1.7.4.1.5.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.a.f.0.3.0.0.-.b.3.b.6.-.4.0.1.5.-.9.4.6.d.-.1.c.6.4.4.2.3.a.6.5.9.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.e.7.f.8.7.5.-.9.3.c.8.-.4.7.c.9.-.8.0.a.b.-.e.7.2.6.3.f.b.d.e.6.3.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.1.7.3.0.0.3.2.6.2.8.6.f.c.6.e.1.e.6.8.9.0.0.1.5.b.3.b.5.1.e.d.b.c.f.f.b.e.e.e.b.5.3.d.1.8.d.1.9.c.c.e.1.f.b.2.8.9.d.5.f.0.a.3.6.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.a.c.-.0.0.0.1.-.0.0.1.5.-.7.0.c.3.-.5.8.4.7.6.d.2.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.f.7.b.b.8.0.7.8.7.c.2.4.b.3.b.4.4.b.b.5.8.f.e.2.2.b.a.2.f.b.5.0.0.0.0.f.f.f.f.!.0.0.0.0.0.4.3.2.3.c.b.c.5.7.4.d.9.e.0.c.
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Sun Oct 27 12:39:35 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):19618
                      Entropy (8bit):2.053944633293251
                      Encrypted:false
                      SSDEEP:96:5H8rrQBiZWNyYWIdPANni7n5trKVkjS68LWx4WqTbljl+9WI/WItgIZgvWg:eATQIRANnOCBRkgOg
                      MD5:DA1F9CAEEC89C48FB6A3A745CCD3DF2F
                      SHA1:6BB3E4E72801DCD4FECD47424CDD026B04056209
                      SHA-256:C23DEE4FD17B1E4598E1102144046189FB450B461A8D13369C9D42ED17C5B693
                      SHA-512:DA6B135AD10EAB2528A3481B4FC7CA5669E04344848A65B03AE36DEFB265BB2E7C97DEFF1D3E67DFEFE50F9993F4122FD4EC8D7B8E12BAE2ADBFF9C4A317BEFB
                      Malicious:false
                      Reputation:low
                      Preview:MDMP..a..... ........4.g............4...............<.......d...<...........T.......8...........T...........H...ZC......................................................................................................eJ......L.......GenuineIntel............T............4.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8548
                      Entropy (8bit):3.701324182742163
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJjANoj6A7I6Y2DmSU9Vgmf0ANSJPWOMpxu89bHN9sfS1Vm:R6lXJjoE6Ak6YLSU9Vgmf0oSJPWOsHNI
                      MD5:33F88C4C6E330C20F510E561E92EAB60
                      SHA1:2B5B8D04DF438401CCF15E68B695AB94C085152D
                      SHA-256:1AF1EEAC66E33605125A51B4EEE25C2116B443D01F304EFA56BD5653E5A4907A
                      SHA-512:36C2484B4B5E427A0FC80458A9087371AA9E6EA67EBE206DA36292015B4A6482FC463D8515EE7C037A43D16AC450B493F07EF54E9A421C7F09452C1CD498DD01
                      Malicious:false
                      Reputation:low
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.5.0.0.<./.P.i.
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4893
                      Entropy (8bit):4.5607216364199985
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zsRiJg77aI9BeWpW8VYxYm8M4JU5AKFS+q8BbgPXizaiadd:uIjfOI7zf7VJJU56kMPXeaiadd
                      MD5:72D116A1176FA838DD4A8F9EC5E479D7
                      SHA1:16D7C3DBA424FD851EDECD5F88C60F7AF96EA934
                      SHA-256:798F41DB10A251F0FA6BBD267462DF0F9DEF3680A4D64DC5791AEA5578DF0440
                      SHA-512:68E667EBF1AACA0BB3A698F0B4DD19E9F116E0826A6CCCDDA2B9BF6F7AA769613DF62A0531CB760309BE1F0A07160F8C9DB39DAD4F51FD2371AD80523B673754
                      Malicious:false
                      Reputation:low
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="561822" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:MS Windows registry file, NT/2000 or above
                      Category:dropped
                      Size (bytes):1835008
                      Entropy (8bit):4.469108376605485
                      Encrypted:false
                      SSDEEP:6144:5zZfpi6ceLPx9skLmb0fSZWSP3aJG8nAgeiJRMMhA2zX4WABluuN/jDH5S:RZHtSZWOKnMM6bFpZj4
                      MD5:EFF1F727858469674866F8E907EEC12D
                      SHA1:6EB1781185122DA6563AC05CF5D2F9DEE41AF051
                      SHA-256:DA7DCD32DF37EF2B95C2EA6A3658561602775746DA575F1ADD81DD070907AD14
                      SHA-512:15444E4051156779A08FBA0C3336244773CA53E7B5153FDECC194B06CBAECE90090DDDCDED28AA6024271CE43BA58073CE949D840695E781ADBD2102EFC94067
                      Malicious:false
                      Reputation:low
                      Preview:regfI...I....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...Gm(................................................................................................................................................................................................................................................................................................................................................s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):6.814864886744471
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe
                      File size:354'019 bytes
                      MD5:41eb06f85e275528a2142cf18db54a72
                      SHA1:04323cbc574d9e0c59c3bf8a66a3d56ce560a0a5
                      SHA256:28ebd01d6b6e06f3eee9fff5807523db8d0d5e37f30a520c10e862cabc6c3553
                      SHA512:efce3fb539206709f6a73f683dc60e5eb828d086a394465c7b1a2b5ac2d3b9face4a9d577387bb56e9b686f3df8e524e70c343c743ee571e9e6c7662e6fb40f3
                      SSDEEP:6144:05gt/WJxHSd56E+a5VTWaRVeCK6V/Hyw1sKsuH1AliCTPYyXNzzTxEq:054/oyd56E+yTx46V/HQKsdi5yXNz3Oq
                      TLSH:00748D07EB6350D1D887897422CF737BAE3A621153684EC7DA4CEED038B36F16836956
                      File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J........................@.......................................@.................................R......
                      Icon Hash:00928e8e8686b000
                      Entrypoint:0x40cf90
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Time Stamp:0x6715D353 [Mon Oct 21 04:06:43 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:6
                      OS Version Minor:0
                      File Version Major:6
                      File Version Minor:0
                      Subsystem Version Major:6
                      Subsystem Version Minor:0
                      Import Hash:
                      Instruction
                      loop 00007F434C8E8403h
                      shr cl, FFFFFF8Bh
                      add al, byte ptr [eax]
                      add byte ptr [ebx-3EEBDBB4h], cl
                      loope 00007F434C8E83D7h
                      mov esi, dword ptr [esp+10h]
                      mov dword ptr [esp+14h], ecx
                      lea eax, dword ptr [esi+ecx]
                      add eax, 00008F12h
                      push 00000120h
                      push 00000000h
                      push eax
                      call 00007F434C8E882Fh
                      add esp, 0Ch
                      mov eax, dword ptr [esp+1Ch]
                      add eax, esi
                      add eax, 00008852h
                      push 00000240h
                      push 00000000h
                      push eax
                      call 00007F434C8E8814h
                      add esp, 0Ch
                      test ebx, ebx
                      add al, ah
                      dec esi
                      mov bh, 8Eh
                      in al, 00h
                      add byte ptr [eax], al
                      add ebp, FFFFFFFEh
                      mov eax, 00000001h
                      mov ecx, dword ptr [esp+14h]
                      add ecx, dword ptr [esp+10h]
                      mov dword ptr [esp+14h], ecx
                      mov dword ptr [esp+0Ch], ebp
                      jmp 00007F434C8E83F1h
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      mov esi, dword ptr [esp+04h]
                      mov dword ptr [esp+04h], esi
                      lea ecx, dword ptr [eax+01h]
                      cmp eax, ebx
                      mov eax, ecx
                      add al, ah
                      dec esi
                      mov bh, 84h
                      stosd
                      add byte ptr [eax], al
                      add byte ptr [ebx-7ACF7BB4h], cl
                      leave
                      jle 00007F434C8E83B5h
                      mov edx, ecx
                      and edx, 03h
                      je 00007F434C8E841Eh
                      mov esi, dword ptr [esp+04h]
                      lea edi, dword ptr [00000000h+esi*4]
                      add edi, ebp
                      xor esi, esi
                      mov ebp, dword ptr [esp+14h]
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      nop
                      movzx edx, word ptr [eax]
                      loopne 00007F434C8E8420h
                      mov bh, 88h
                      test byte ptr [ebx], ch
                      adc cl, byte ptr [edi+00000000h]
                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x480520x8c.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x590000x4a84.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x481a00xc0.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x449010x44a00f716ae96b9fe377cd3bc507c192a8d7eFalse0.5444451559653917data6.661889453528604IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0x460000x253d0x260075aa12666fc3cd0dae60f7e8d72fa046False0.633532072368421data6.750447756020646IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0x490000xf3b80x600037ee15fa5f7b29f14fa1859ed5f9492eFalse0.5150960286458334data6.834921683383106IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .reloc0x590000x4a840x4c006c0f61f766b829a38aab799e5f52d226False0.5377261513157895data6.339856173984861IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                      TimestampSource PortDest PortSource IPDest IP
                      Oct 27, 2024 13:39:54.469590902 CET53498581.1.1.1192.168.2.6

                      Click to jump to process

                      Click to jump to process

                      Click to dive into process behavior distribution

                      Click to jump to process

                      Target ID:0
                      Start time:08:39:35
                      Start date:27/10/2024
                      Path:C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f682a1d474.dat-decoded.exe"
                      Imagebase:0x400000
                      File size:354'019 bytes
                      MD5 hash:41EB06F85E275528A2142CF18DB54A72
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:false

                      Target ID:4
                      Start time:08:39:35
                      Start date:27/10/2024
                      Path:C:\Windows\SysWOW64\WerFault.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 224
                      Imagebase:0xed0000
                      File size:483'680 bytes
                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Reset < >
                        Memory Dump Source
                        • Source File: 00000000.00000002.3641513110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3641499390.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641543229.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641557307.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641572013.0000000000449000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641587455.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f68.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 992da56a12b929749f5b34514ef4403dc7cd1c8e496927517b658f2e5690325d
                        • Instruction ID: 33d1fa796b1d896eb3f1c7a1f020b0e48ef70a42adf84ec873fa5626091bade2
                        • Opcode Fuzzy Hash: 992da56a12b929749f5b34514ef4403dc7cd1c8e496927517b658f2e5690325d
                        • Instruction Fuzzy Hash: 49611CB3E443244BC728CEA4DC9129AF392EBD4660F0FD62DEC45E7700E57DAD464A89
                        Memory Dump Source
                        • Source File: 00000000.00000002.3641513110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3641499390.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641543229.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641557307.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641572013.0000000000449000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641587455.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f68.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cfa8fd6e708e242520525c30bfcadfa422ce028f315f66dc66fbe8ec01c725ec
                        • Instruction ID: ddd1b86d349be93cd26abd39a089ad28cebcfcecbc2669ff4f6db5009d02065c
                        • Opcode Fuzzy Hash: cfa8fd6e708e242520525c30bfcadfa422ce028f315f66dc66fbe8ec01c725ec
                        • Instruction Fuzzy Hash: E271A270609341CFC722DF18D88539ABBE1EFD6304F198A6EC9C597286D338A552CB96
                        Memory Dump Source
                        • Source File: 00000000.00000002.3641513110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3641499390.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641543229.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641557307.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641572013.0000000000449000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641587455.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f68.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8c31fb140ed6bf20187175e22f0a7b43266736225535e38520ef6b94780b61b6
                        • Instruction ID: 96f5fc08c655095b160617391283794c17b460828c94bb8a9a883e3b036af509
                        • Opcode Fuzzy Hash: 8c31fb140ed6bf20187175e22f0a7b43266736225535e38520ef6b94780b61b6
                        • Instruction Fuzzy Hash: F9613C7110C380CFC315CB58884065BBFE0AFAA704F540D6EE5C5A7792C675EA09CBAB
                        Memory Dump Source
                        • Source File: 00000000.00000002.3641513110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3641499390.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641543229.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641557307.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641572013.0000000000449000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641587455.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f68.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2756ed4631783ae0cc829404af07eadf753561bb50897bdfdf90c7d9c5c52181
                        • Instruction ID: 29538516de44edcf7582a9e2b727cf2f55695f5a19e8fd380397c09a88aa26e7
                        • Opcode Fuzzy Hash: 2756ed4631783ae0cc829404af07eadf753561bb50897bdfdf90c7d9c5c52181
                        • Instruction Fuzzy Hash: A521C637B1C7614BE3518F35DCC45477792EB87214B1A017ADE81D7382C636F802E296
                        Memory Dump Source
                        • Source File: 00000000.00000002.3641513110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3641499390.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641543229.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641557307.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641572013.0000000000449000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641587455.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f68.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: df886b0847863313051c2667727db0ab781dfdfa4379abec52b675b3adf67df5
                        • Instruction ID: 973ffdcea0d592f631ef01c1131d7206f6ae1fd1f2d280df51a51869193aa499
                        • Opcode Fuzzy Hash: df886b0847863313051c2667727db0ab781dfdfa4379abec52b675b3adf67df5
                        • Instruction Fuzzy Hash: 5401BC3BB285314BF3519F79ECC814A6353FB8B21530E0231EA82D7342C632F412E28A
                        Memory Dump Source
                        • Source File: 00000000.00000002.3641513110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3641499390.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641543229.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641557307.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641572013.0000000000449000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641587455.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f68.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1f28a8a5de9b0aa23fd99f53cd2d8b87933a2631140e4c19104637d173a8c570
                        • Instruction ID: 6c04391225370861c0d4043648be8474e9e55333c0dae57bd26468f16cf2eb63
                        • Opcode Fuzzy Hash: 1f28a8a5de9b0aa23fd99f53cd2d8b87933a2631140e4c19104637d173a8c570
                        • Instruction Fuzzy Hash: 59F0E22BB2867147F7919F66ECC410A6303E78B21570E0135EF81D7382C676F512E25A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3641513110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3641499390.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641543229.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641557307.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641572013.0000000000449000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641587455.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f68.jbxd
                        Similarity
                        • API ID:
                        • String ID: 0000$0000$0000$0000$0000$0000$0000
                        • API String ID: 0-3735745554
                        • Opcode ID: 97be3ee8353ebcccb5fd9c356fa5382d5f9c485eb5905a2df973ccc4d463490a
                        • Instruction ID: e5378a02405b101bcdf5dbed652373363ec6d2d21f896ddc0aa595c3e7dd57fb
                        • Opcode Fuzzy Hash: 97be3ee8353ebcccb5fd9c356fa5382d5f9c485eb5905a2df973ccc4d463490a
                        • Instruction Fuzzy Hash: 78115EBD2273804FC7089F0489E8656BF59FB56344369C6AAC4471B2E2D3B58803DB8E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3641513110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3641499390.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641543229.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641557307.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641572013.0000000000449000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641587455.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f68.jbxd
                        Similarity
                        • API ID:
                        • String ID: 0000$0000$0000$0000$0000$0000$0000
                        • API String ID: 0-3735745554
                        • Opcode ID: 8cc84ef14e8c139efcd8b1de24fc7b879e2537f081eb35a549e7ee1673a866ce
                        • Instruction ID: 3c1ac74e3f97160d7814e9761efe813063702cfa5cd85854cd263fed32d1d0fc
                        • Opcode Fuzzy Hash: 8cc84ef14e8c139efcd8b1de24fc7b879e2537f081eb35a549e7ee1673a866ce
                        • Instruction Fuzzy Hash: 310161BD6173808FC7098F1489A8605BF69BB56244359C1AAC4474F2E2E3B5C902CF8F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3641513110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3641499390.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641543229.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641557307.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641572013.0000000000449000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641587455.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f68.jbxd
                        Similarity
                        • API ID:
                        • String ID: @DvF$Jxzv$_kQT$a[[d
                        • API String ID: 0-2174979120
                        • Opcode ID: 2d8366e74524e5093e30f7680ddec45d2930d59e69f81c80475d04386c52cd36
                        • Instruction ID: 1f3a0a8d3e70423f2bf4a75cc8649767a6149206e9a7a498639a5e44bad7eead
                        • Opcode Fuzzy Hash: 2d8366e74524e5093e30f7680ddec45d2930d59e69f81c80475d04386c52cd36
                        • Instruction Fuzzy Hash: 8171E37050D3C18FD7128F69885029BBFE0AF97318F184EAED4D1AB392D778854AC756
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3641513110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3641499390.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641543229.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641557307.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641572013.0000000000449000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641587455.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f68.jbxd
                        Similarity
                        • API ID:
                        • String ID: !m%k$#i4g$+e(c$yw
                        • API String ID: 0-579512773
                        • Opcode ID: 6e9b7c751517cdbc06bb436c88e5d05743f4077e86103d70768e6b00b4fc371b
                        • Instruction ID: 57514c8425cd2fd664880043902cd7e69d9183ebd53fa6c61cf51f223200030c
                        • Opcode Fuzzy Hash: 6e9b7c751517cdbc06bb436c88e5d05743f4077e86103d70768e6b00b4fc371b
                        • Instruction Fuzzy Hash: D35178B154D3C18FE3329F2088557CABFB1AF92300F19899EC5C98B296E7794546CB53
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.3641513110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                        • Associated: 00000000.00000002.3641499390.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641543229.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641557307.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641572013.0000000000449000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.3641587455.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_400000_17300326286fc6e1e6890015b3b51edbcffbeeeb53d18d19cce1fb289d5f0a36124f68.jbxd
                        Similarity
                        • API ID:
                        • String ID: !q"s$#iJk$*u&w$0e-g
                        • API String ID: 0-3825726463
                        • Opcode ID: 3135c7baf312c3557c70f0376436dfd03e155d8f7ecc23642683bdfda1843212
                        • Instruction ID: 4e1464e1ccee8a0c2a5fd956f5e32923f0b79b51bff7f4d65ef434471bc5245a
                        • Opcode Fuzzy Hash: 3135c7baf312c3557c70f0376436dfd03e155d8f7ecc23642683bdfda1843212
                        • Instruction Fuzzy Hash: 9001EEB0054BA09FC3368F26A591206BFF0BF52600B616E1DC5E65FB29DB70A050CF45