Windows Analysis Report
173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe

Overview

General Information

Sample name: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe
Analysis ID: 1545599
MD5: 1a5a84c727dba020f92a765814abcd28
SHA1: 4cc40dcef25834ceff8dc92bf73dd0087b9c2db6
SHA256: 9ad59d548f173fba235517acc0a5dbd416f3890cbf622767da02c83fc0c051e7
Tags: base64-decodedexeuser-abuse_ch
Infos:

Detection

LummaC
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
One or more processes crash
PE file does not import any functions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection

barindex
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Malware Configuration Extractor: LummaC {"C2 url": ["authorisev.site", "goalyfeastz.site", "servicedny.site", "dilemmadu.site", "contemteny.site", "seallysl.site", "computeryrati.site", "faulteyotk.site", "opposezmny.site"], "Build id": "BVnUqo--@noplohoy"}
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe ReversingLabs: Detection: 28%
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.0% probability
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Joe Sandbox ML: detected
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe String decryptor: servicedny.site
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe String decryptor: authorisev.site
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe String decryptor: faulteyotk.site
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe String decryptor: dilemmadu.site
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe String decryptor: contemteny.site
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe String decryptor: goalyfeastz.site
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe String decryptor: opposezmny.site
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe String decryptor: seallysl.site
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe String decryptor: computeryrati.site
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe String decryptor: lid=%s&j=%s&ver=4.0
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe String decryptor: TeslaBrowser/5.5
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe String decryptor: - Screen Resoluton:
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe String decryptor: - Physical Installed Memory:
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe String decryptor: Workgroup: -
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe String decryptor: BVnUqo--@noplohoy
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx+7EFF7A94h] 1_2_0043E84A
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Code function: 4x nop then movzx esi, byte ptr [esi+ecx-4Eh] 1_2_0044547C
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h 1_2_00401000
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Code function: 4x nop then movzx esi, byte ptr [esi+ecx-4Eh] 1_2_0044542E
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h 1_2_0040111D
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Code function: 4x nop then movzx esi, byte ptr [esi+ecx-4Eh] 1_2_0044548B
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Code function: 4x nop then mov eax, dword ptr [edi+0Ch] 1_2_004060BC
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Code function: 4x nop then add al, ah 1_2_00405D52
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Code function: 4x nop then add al, ah 1_2_00405D7C
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h 1_2_0040392F
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h 1_2_00403933
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h 1_2_0040393A
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Code function: 4x nop then add al, ah 1_2_00405D3C

Networking

barindex
Source: Malware configuration extractor URLs: authorisev.site
Source: Malware configuration extractor URLs: goalyfeastz.site
Source: Malware configuration extractor URLs: servicedny.site
Source: Malware configuration extractor URLs: dilemmadu.site
Source: Malware configuration extractor URLs: contemteny.site
Source: Malware configuration extractor URLs: seallysl.site
Source: Malware configuration extractor URLs: computeryrati.site
Source: Malware configuration extractor URLs: faulteyotk.site
Source: Malware configuration extractor URLs: opposezmny.site
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Code function: 1_2_00442729 1_2_00442729
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Code function: 1_2_004073DE 1_2_004073DE
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Code function: 1_2_004073ED 1_2_004073ED
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Code function: 1_2_004073B5 1_2_004073B5
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7468 -s 228
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Static PE information: No import functions for PE file found
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal84.troj.evad.winEXE@2/5@0/0
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7468
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\d1188a85-e542-48ff-a582-212ac6913761 Jump to behavior
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe ReversingLabs: Detection: 28%
Source: unknown Process created: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe "C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe"
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7468 -s 228
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Section loaded: apphelp.dll Jump to behavior
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Code function: 1_2_00401525 push dword ptr [edx+eax-77h]; ret 1_2_0040152A
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.4.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe, 00000001.00000002.2625379231.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: servicedny.site
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe, 00000001.00000002.2625379231.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: authorisev.site
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe, 00000001.00000002.2625379231.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: faulteyotk.site
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe, 00000001.00000002.2625379231.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: dilemmadu.site
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe, 00000001.00000002.2625379231.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: contemteny.site
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe, 00000001.00000002.2625379231.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: goalyfeastz.site
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe, 00000001.00000002.2625379231.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: opposezmny.site
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe, 00000001.00000002.2625379231.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: seallysl.site
Source: 173030718882fd8a78aff7fb8b038f7e8db48cb3c09555ed53a2929bebf8d42568818593e6176.dat-decoded.exe, 00000001.00000002.2625379231.0000000000449000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: computeryrati.site
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

barindex
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR
No contacted IP infos