Windows Analysis Report
173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe

ID:	1544506
Product:	CloudBasic
Start time:	14:21:08
Start date:	29.10.2024
Sample:	173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	1b5080ed4191301d6bf2c55db9776f2f
SHA1:	6bf5c25c39e4c5cf2c903593343a2e2c61fbf2c0
SHA256:	91808f0aa30e326b1ae07d127280b47a5a2f78e1e6020d18be5b362df60e9a5c
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_173020801091b6d9_893532b275f9231b0412ef68b7f2f637a31028_5295a938_a5ba80d4-9163-47e9-9285-13c25c61a61e\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	218D1CAF9108638D548D85F0133FFF66	0F038066C7620607BEACB55C7CE0BCF547C67418	C9254E80BED5D167B302FBD29C4032CC1144F4414121ECAB207746CDCCCD2F04
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE9C1.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Oct 29 13:22:07 2024, 0x1205a4 type	D5E242BC4165F0F05FF794E72721CA3A	B5011774C9DEA1801B08DDC8282200D78F00E308	FF8B769B717D1CDBF9E6D14160B6EEBF17C637EE81B73BF6A98C631CD23566EE
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA01.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	072A1EC6790122A5E46F7F9DB5DEE549	7113EA48FA2F28BE3D3994F532F9DD746F319C29	3BCD43CD2246762BEC55FE07FCD7B14958F7FC83D5E79A7865AAC43D3FC709E9
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA30.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	0A752972758C1809776776CF125A5100	461D23DA89185BD8A800871B7AF7AB92A8CCFB40	94B0B5D94BB500FA292DC570669050FAD3BA390522C4830DC6EE0BEE52F08957
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	03323DF6A833DCFFF8A8869E84A5098B	73DC7429E614F83829B3CF3F64CAE0409DEDCE63	974A0960E6DEBCEFEA25FB2FF9C037FD2E6A1D15A10B4AABC2D0DAEC984D4C15

AV Detection

Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe

Malware Configuration Extractor: LummaC {"C2 url": ["dilemmadu.site", "authorisev.site", "goalyfeastz.site", "seallysl.site", "contemteny.site", "opposezmny.site", "revirepart.biz", "faulteyotk.site", "servicedny.site"], "Build id": "HpOoIh--2a727a032c4d"}

Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe

ReversingLabs: Detection: 23%

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe

Joe Sandbox ML: detected

Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	String decryptor: servicedny.site
Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	String decryptor: authorisev.site
Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	String decryptor: faulteyotk.site
Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	String decryptor: dilemmadu.site
Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	String decryptor: contemteny.site
Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	String decryptor: goalyfeastz.site
Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	String decryptor: opposezmny.site
Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	String decryptor: seallysl.site
Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	String decryptor: revirepart.biz
Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	String decryptor: lid=%s&j=%s&ver=4.0
Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	String decryptor: TeslaBrowser/5.5
Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	String decryptor: - Screen Resoluton:
Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	String decryptor: - Physical Installed Memory:
Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	String decryptor: Workgroup: -
Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	String decryptor: HpOoIh--2a727a032c4d

Compliance

Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Software Vulnerabilities

Source: C:\Users\user\Desktop\173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h		0_2_00401000
Source: C:\Users\user\Desktop\173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h		0_2_0040111D
Source: C:\Users\user\Desktop\173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h		0_2_0040392F
Source: C:\Users\user\Desktop\173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h		0_2_00403933
Source: C:\Users\user\Desktop\173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h		0_2_0040393A
Source: C:\Users\user\Desktop\173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B62B8D10h		0_2_0040D33A

Networking

Source: Malware configuration extractor	URLs: dilemmadu.site
Source: Malware configuration extractor	URLs: authorisev.site
Source: Malware configuration extractor	URLs: goalyfeastz.site
Source: Malware configuration extractor	URLs: seallysl.site
Source: Malware configuration extractor	URLs: contemteny.site
Source: Malware configuration extractor	URLs: opposezmny.site
Source: Malware configuration extractor	URLs: revirepart.biz
Source: Malware configuration extractor	URLs: faulteyotk.site
Source: Malware configuration extractor	URLs: servicedny.site

Source: Amcache.hve.3.dr

String found in binary or memory: http://upx.sf.net

System Summary

Source: C:\Users\user\Desktop\173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe

Code function: 0_2_00441AE5

0_2_00441AE5

Source: C:\Users\user\Desktop\173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6908 -s 224

Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe

Static PE information: No import functions for PE file found

Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@2/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6908

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\350c1be0-f205-4c3a-81bf-eed673dd590a

Jump to behavior

Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe

ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Users\user\Desktop\173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe "C:\Users\user\Desktop\173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe"
Source: C:\Users\user\Desktop\173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6908 -s 224

Source: C:\Users\user\Desktop\173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe

Section loaded: apphelp.dll

Jump to behavior

Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: C:\Users\user\Desktop\173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe

Code function: 0_2_00401525 push dword ptr [edx+eax-77h]; ret

0_2_0040152A

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Anti Debugging

Source: C:\Users\user\Desktop\173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe	Process queried: DebugPort			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe, 00000000.00000000.1744205543.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: servicedny.site
Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe, 00000000.00000000.1744205543.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: authorisev.site
Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe, 00000000.00000000.1744205543.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: faulteyotk.site
Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe, 00000000.00000000.1744205543.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: dilemmadu.site
Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe, 00000000.00000000.1744205543.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: contemteny.site
Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe, 00000000.00000000.1744205543.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: goalyfeastz.site
Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe, 00000000.00000000.1744205543.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: opposezmny.site
Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe, 00000000.00000000.1744205543.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: seallysl.site
Source: 173020801091b6d93ccb9140d87b71af62ee5395a2c40836f72d507ec12a068e010105f3fc219.dat-decoded.exe, 00000000.00000000.1744205543.0000000000449000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: revirepart.biz

Lowering of HIPS / PFW / Operating System Security Settings

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Source: Yara match

File source: decrypted.binstr, type: MEMORYSTR

Remote Access Functionality

Source: Yara match

File source: decrypted.binstr, type: MEMORYSTR