Edit tour

Windows Analysis Report
0V0Q7kWH0N.exe

Overview

General Information

Sample name:	0V0Q7kWH0N.exe renamed because original name is a hash value
Original sample name:	019b0ee933aa09404fb1c389dca4f4d1.exe
Analysis ID:	1632259
MD5:	019b0ee933aa09404fb1c389dca4f4d1
SHA1:	fef381e3cf9fd23d2856737b51996ed6a5bb3e1d
SHA256:	ed3214368e1d12d1da9b096b3a2664dfa000f4986ca506de2f0df3e4ee9dda4f
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

0V0Q7kWH0N.exe (PID: 6748 cmdline: "C:\Users\user\Desktop\0V0Q7kWH0N.exe" MD5: 019B0EE933AA09404FB1C389DCA4F4D1)

0V0Q7kWH0N.exe (PID: 6872 cmdline: "C:\Users\user\Desktop\0V0Q7kWH0N.exe" MD5: 019B0EE933AA09404FB1C389DCA4F4D1)

WerFault.exe (PID: 6988 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 772 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.1570324966.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.1360016526.0000000003769000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 0V0Q7kWH0N.exe PID: 6872	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
2.2.0V0Q7kWH0N.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
2.2.0V0Q7kWH0N.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.0V0Q7kWH0N.exe.3769658.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T21:34:43.169516+0100	2028371	3	Unknown Traffic	192.168.2.12	49688	104.21.96.1	443	TCP
2025-03-07T21:34:46.312987+0100	2028371	3	Unknown Traffic	192.168.2.12	49691	104.21.96.1	443	TCP
2025-03-07T21:34:50.361276+0100	2028371	3	Unknown Traffic	192.168.2.12	49695	104.21.96.1	443	TCP
2025-03-07T21:34:53.988197+0100	2028371	3	Unknown Traffic	192.168.2.12	49696	104.21.96.1	443	TCP
2025-03-07T21:34:57.599672+0100	2028371	3	Unknown Traffic	192.168.2.12	49697	104.21.96.1	443	TCP
2025-03-07T21:35:01.713153+0100	2028371	3	Unknown Traffic	192.168.2.12	49699	104.21.96.1	443	TCP
2025-03-07T21:35:08.940877+0100	2028371	3	Unknown Traffic	192.168.2.12	49700	104.21.96.1	443	TCP
2025-03-07T21:35:10.931468+0100	2028371	3	Unknown Traffic	192.168.2.12	49701	188.114.97.3	443	TCP

HTTP traffic detected: POST /JnsHY HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 57Host: arisechairedd.shop

Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: 0V0Q7kWH0N.exe, 00000002.00000002.1571347828.000000000123B000.00000004.00000020.00020000.00000000.sdmp, 0V0Q7kWH0N.exe, 00000002.00000002.1571244807.00000000011C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arisechairedd.shop/JnsHY
Source: 0V0Q7kWH0N.exe, 00000002.00000002.1571609900.0000000001263000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begindecafer.world/
Source: 0V0Q7kWH0N.exe, 00000002.00000002.1571609900.0000000001263000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begindecafer.world/(-fo-
Source: 0V0Q7kWH0N.exe, 00000002.00000002.1571347828.0000000001208000.00000004.00000020.00020000.00000000.sdmp, 0V0Q7kWH0N.exe, 00000002.00000002.1571223589.00000000011BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begindecafer.world/QwdZdf
Source: 0V0Q7kWH0N.exe, 00000002.00000002.1571347828.0000000001208000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begindecafer.world/QwdZdfp
Source: 0V0Q7kWH0N.exe, 00000002.00000002.1571244807.00000000011C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begindecafer.world:443/QwdZdf

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.12:49688 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.12:49691 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.12:49695 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.12:49696 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.12:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.12:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.12:49701 version: TLS 1.2

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe

Code function: 2_2_0043EF10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

2_2_0043EF10

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe

Code function: 2_2_0043EF10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

2_2_0043EF10

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe

Code function: 2_2_0043F0B0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

2_2_0043F0B0

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 0_2_009F2630	0_2_009F2630
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00411822	2_2_00411822
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0044D0C0	2_2_0044D0C0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_004300B0	2_2_004300B0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00428900	2_2_00428900
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0041B1D8	2_2_0041B1D8
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0040DA3A	2_2_0040DA3A
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00420B40	2_2_00420B40
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0044C320	2_2_0044C320
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_004373CB	2_2_004373CB
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0042CBB0	2_2_0042CBB0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0041A430	2_2_0041A430
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00443C30	2_2_00443C30
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_004155F6	2_2_004155F6
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_004476C0	2_2_004476C0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00449775	2_2_00449775
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0040D780	2_2_0040D780
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00401040	2_2_00401040
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0042D850	2_2_0042D850
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00404802	2_2_00404802
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00407006	2_2_00407006
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00409030	2_2_00409030
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0044C8C0	2_2_0044C8C0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_004490EF	2_2_004490EF
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0044A88E	2_2_0044A88E
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0044C0A0	2_2_0044C0A0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0041E0AC	2_2_0041E0AC
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_004318B6	2_2_004318B6
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00430962	2_2_00430962
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00445160	2_2_00445160
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0043617E	2_2_0043617E
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0044B900	2_2_0044B900
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00429910	2_2_00429910
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00432120	2_2_00432120
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_004311DA	2_2_004311DA
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_004361D8	2_2_004361D8
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00420180	2_2_00420180
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00455186	2_2_00455186
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0041D99F	2_2_0041D99F
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_004379A0	2_2_004379A0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_004551A3	2_2_004551A3
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_004379AF	2_2_004379AF
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_004139AF	2_2_004139AF
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0044B9B0	2_2_0044B9B0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_004269B4	2_2_004269B4
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00448240	2_2_00448240
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0044BA40	2_2_0044BA40
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00443250	2_2_00443250
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0043B238	2_2_0043B238
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0041FA3D	2_2_0041FA3D
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00438AC0	2_2_00438AC0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0041E2C6	2_2_0041E2C6
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00436AE5	2_2_00436AE5
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0040D2F0	2_2_0040D2F0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_004362F9	2_2_004362F9
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00423A80	2_2_00423A80
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0042BA81	2_2_0042BA81
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00431A8C	2_2_00431A8C
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0042DAA2	2_2_0042DAA2
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_004292A0	2_2_004292A0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00402B50	2_2_00402B50
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00444B60	2_2_00444B60
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0043DB6D	2_2_0043DB6D
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00416312	2_2_00416312
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0041D315	2_2_0041D315
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0040FB20	2_2_0040FB20
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00408B20	2_2_00408B20
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0042D32F	2_2_0042D32F
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0040CBD0	2_2_0040CBD0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0040A390	2_2_0040A390
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00445390	2_2_00445390
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00435440	2_2_00435440
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0041B1D8	2_2_0041B1D8
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0040C470	2_2_0040C470
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0044BCE0	2_2_0044BCE0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00435CF0	2_2_00435CF0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0044CC80	2_2_0044CC80
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0040DC9E	2_2_0040DC9E
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00432540	2_2_00432540
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0041CD45	2_2_0041CD45
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00447D50	2_2_00447D50
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0041B55A	2_2_0041B55A
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0043357B	2_2_0043357B
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0043C530	2_2_0043C530
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00403580	2_2_00403580
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00420589	2_2_00420589
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0040B590	2_2_0040B590
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0043E5A0	2_2_0043E5A0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_004095B0	2_2_004095B0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_004245B0	2_2_004245B0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00423E50	2_2_00423E50
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00430650	2_2_00430650
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0040E660	2_2_0040E660
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0044266C	2_2_0044266C
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00430670	2_2_00430670
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00439E08	2_2_00439E08
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00407E30	2_2_00407E30
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0041EEFE	2_2_0041EEFE
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0044B680	2_2_0044B680
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0044BE90	2_2_0044BE90
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00445747	2_2_00445747
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00444750	2_2_00444750
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0042F760	2_2_0042F760
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00403F20	2_2_00403F20
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00442FF0	2_2_00442FF0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00402790	2_2_00402790
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00416F90	2_2_00416F90
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0044B790	2_2_0044B790
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0043BFA3	2_2_0043BFA3
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0044B7A9	2_2_0044B7A9
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0044B7AB	2_2_0044B7AB

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: String function: 0040B380 appears 46 times
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: String function: 0041A420 appears 110 times

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 772

Source: 0V0Q7kWH0N.exe, 00000000.00000002.1358107877.000000000079E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 0V0Q7kWH0N.exe
Source: 0V0Q7kWH0N.exe, 00000000.00000000.1247505299.0000000000236000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePortals.exe0 vs 0V0Q7kWH0N.exe
Source: 0V0Q7kWH0N.exe, 00000000.00000002.1360016526.0000000003769000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePortals.exe0 vs 0V0Q7kWH0N.exe
Source: 0V0Q7kWH0N.exe	Binary or memory string: OriginalFilenamePortals.exe0 vs 0V0Q7kWH0N.exe

Source: 0V0Q7kWH0N.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0V0Q7kWH0N.exe

Static PE information: Section: .CSS ZLIB complexity 1.0003352171985815

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/6@2/2

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe

Code function: 2_2_00443C30 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

2_2_00443C30

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6748

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\30243953-5bfe-4d62-b7f6-86c8092ebeb1

Jump to behavior

Source: 0V0Q7kWH0N.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0V0Q7kWH0N.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0V0Q7kWH0N.exe	Virustotal: Detection: 62%
Source: 0V0Q7kWH0N.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe

File read: C:\Users\user\Desktop\0V0Q7kWH0N.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\0V0Q7kWH0N.exe "C:\Users\user\Desktop\0V0Q7kWH0N.exe"
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Process created: C:\Users\user\Desktop\0V0Q7kWH0N.exe "C:\Users\user\Desktop\0V0Q7kWH0N.exe"
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6748 -s 772
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Process created: C:\Users\user\Desktop\0V0Q7kWH0N.exe "C:\Users\user\Desktop\0V0Q7kWH0N.exe"	Jump to behavior

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: 0V0Q7kWH0N.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 0V0Q7kWH0N.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 0V0Q7kWH0N.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb source: 0V0Q7kWH0N.exe
Source:	Binary string: Portals.pdb source: WERD9B2.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERD9B2.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdbLL source: WERD9B2.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WERD9B2.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDSw source: WERD9B2.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WERD9B2.tmp.dmp.5.dr
Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb<;V; H;_CorExeMainmscoree.dll source: 0V0Q7kWH0N.exe
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERD9B2.tmp.dmp.5.dr
Source:	Binary string: Portals.pdbo source: WERD9B2.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WERD9B2.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERD9B2.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdbh source: WERD9B2.tmp.dmp.5.dr

Source: 0V0Q7kWH0N.exe

Static PE information: 0xADFF511F [Mon Jul 3 22:20:15 2062 UTC]

Source: 0V0Q7kWH0N.exe

Static PE information: section name: .CSS

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_004540A0 push 8B0042B4h; retn 0042h	2_2_004540A5
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_00450C4A push 0000001Ch; iretd	2_2_00450C4C
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_004525D2 push esp; retf	2_2_004525D5

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Memory allocated: 9F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Memory allocated: 2760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Memory allocated: 2460000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe TID: 6904	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe TID: 4268	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 0V0Q7kWH0N.exe, 00000002.00000002.1571244807.00000000011C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 6e d0 59 6b 97 52-b4 9a 7f 42 1f 0e 66 9c
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: 0V0Q7kWH0N.exe, 00000002.00000002.1571118325.0000000001190000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH]
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe

Code function: 2_2_00449660 LdrInitializeThunk,

2_2_00449660

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 0_2_02762159 mov edi, dword ptr fs:[00000030h]		0_2_02762159
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 0_2_027622D6 mov edi, dword ptr fs:[00000030h]		0_2_027622D6

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe

Code function: 0_2_02762159 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_02762159

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe

Memory written: C:\Users\user\Desktop\0V0Q7kWH0N.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe

Process created: C:\Users\user\Desktop\0V0Q7kWH0N.exe "C:\Users\user\Desktop\0V0Q7kWH0N.exe"

Jump to behavior

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Queries volume information: C:\Users\user\Desktop\0V0Q7kWH0N.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: 0V0Q7kWH0N.exe, 00000002.00000002.1571139270.00000000011A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 0V0Q7kWH0N.exe PID: 6872, type: MEMORYSTR
Source: Yara match	File source: 2.2.0V0Q7kWH0N.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.0V0Q7kWH0N.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0V0Q7kWH0N.exe.3769658.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1570324966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1360016526.0000000003769000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 0V0Q7kWH0N.exe, 00000002.00000002.1571244807.00000000011C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: 0V0Q7kWH0N.exe, 00000002.00000002.1571244807.00000000011C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: 0V0Q7kWH0N.exe, 00000002.00000002.1571347828.0000000001208000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: enllpjcblmjkfcffne","ez":"Jaxx Liberty"},{"en":"fihkakfobkmkjojpchpfgcmhfjnmpr!
Source: 0V0Q7kWH0N.exe, 00000002.00000002.1571347828.0000000001208000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: nce","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Bi
Source: 0V0Q7kWH0N.exe, 00000002.00000002.1571347828.0000000001234000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: 0V0Q7kWH0N.exe, 00000002.00000002.1571244807.00000000011C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Directory queried: C:\Users\user\Documents\JPEAFKFPZY	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Directory queried: C:\Users\user\Documents\JPEAFKFPZY	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Directory queried: C:\Users\user\Documents\ZSSZYEFYMU	Jump to behavior
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Directory queried: C:\Users\user\Documents\ZSSZYEFYMU	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 0V0Q7kWH0N.exe PID: 6872, type: MEMORYSTR
Source: Yara match	File source: 2.2.0V0Q7kWH0N.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.0V0Q7kWH0N.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0V0Q7kWH0N.exe.3769658.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1570324966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1360016526.0000000003769000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	23 Virtualization/Sandbox Evasion	2 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	23 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	41 Data from Local System	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Source: https://begindecafer.world/(-fo-	Avira URL Cloud: Label: malware
Source: https://begindecafer.world:443/QwdZdf	Avira URL Cloud: Label: malware
Source: https://arisechairedd.shop/JnsHY	Avira URL Cloud: Label: malware
Source: https://begindecafer.world/QwdZdfp	Avira URL Cloud: Label: malware
Source: https://begindecafer.world/	Avira URL Cloud: Label: malware
Source: https://begindecafer.world/QwdZdf	Avira URL Cloud: Label: malware

Source: 00000000.00000002.1360016526.0000000003769000.00000004.00000800.00020000.00000000.sdmp	String decryptor: arisechairedd.shop/JnsHY
Source: 00000000.00000002.1360016526.0000000003769000.00000004.00000800.00020000.00000000.sdmp	String decryptor: begindecafer.world/QwdZdf
Source: 00000000.00000002.1360016526.0000000003769000.00000004.00000800.00020000.00000000.sdmp	String decryptor: garagedrootz.top/oPsoJAN
Source: 00000000.00000002.1360016526.0000000003769000.00000004.00000800.00020000.00000000.sdmp	String decryptor: modelshiverd.icu/bJhnsj
Source: 00000000.00000002.1360016526.0000000003769000.00000004.00000800.00020000.00000000.sdmp	String decryptor: catterjur.run/boSnzhu
Source: 00000000.00000002.1360016526.0000000003769000.00000004.00000800.00020000.00000000.sdmp	String decryptor: orangemyther.live/IozZ
Source: 00000000.00000002.1360016526.0000000003769000.00000004.00000800.00020000.00000000.sdmp	String decryptor: fostinjec.today/LksNAz

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49691 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49688 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49696 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49701 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49697 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49699 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49700 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49695 -> 104.21.96.1:443

Source: global traffic	HTTP traffic detected: POST /JnsHY HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 57Host: arisechairedd.shop
Source: global traffic	HTTP traffic detected: POST /JnsHY HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1L1e90rb72Er060User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14512Host: arisechairedd.shop
Source: global traffic	HTTP traffic detected: POST /JnsHY HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=68rkIwno87EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15036Host: arisechairedd.shop
Source: global traffic	HTTP traffic detected: POST /JnsHY HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7Uuqb6yW1LY7Fkm596vUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20252Host: arisechairedd.shop
Source: global traffic	HTTP traffic detected: POST /JnsHY HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PyyLU24kT4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2322Host: arisechairedd.shop
Source: global traffic	HTTP traffic detected: POST /JnsHY HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=cTzImi2K6waV0wQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 589152Host: arisechairedd.shop
Source: global traffic	HTTP traffic detected: POST /QwdZdf HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 95Host: begindecafer.world

Source: 0V0Q7kWH0N.exe	Virustotal: Detection: 62%			Perma Link
Source: 0V0Q7kWH0N.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0041B1D8 CryptUnprotectData,CryptUnprotectData,CryptUnprotectData,	2_2_0041B1D8
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0041B1D8 CryptUnprotectData,CryptUnprotectData,CryptUnprotectData,	2_2_0041B1D8
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 2_2_0041B55A CryptUnprotectData,	2_2_0041B55A

Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00411822
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+esi-000000FEh]	2_2_0044D0C0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax]	2_2_004300B0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F7D6D3F6h	2_2_0044D960
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-25088CECh]	2_2_00412124
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	2_2_0044C1D0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov dword ptr [esp+04h], eax	2_2_0041B1D8
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_0041B1D8
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4AF8CFA6h]	2_2_0041B1D8
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	2_2_0041B1D8
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	2_2_0041B1D8
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000B2h]	2_2_00410994
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+14h]	2_2_0040DA3A
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+317AB538h]	2_2_0040DA3A
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+10h]	2_2_00420B40
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+10h]	2_2_00420B40
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov ebp, edx	2_2_0044C320
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_004373CB
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0042CBB0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then cmp word ptr [ebp+eax+00h], 0000h	2_2_0041A430
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then lea eax, dword ptr [ecx-6C0B83CEh]	2_2_0040D780
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h	2_2_0044C8C0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]	2_2_004490EF
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_00440880
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movsx edx, byte ptr [ebx+ecx]	2_2_0044A88E
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx-443B8DA2h]	2_2_0041E0AC
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_0041E0AC
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	2_2_0040E174
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	2_2_0044B900
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00429910
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-38B2FA5Ch]	2_2_00432120
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00432120
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+12h]	2_2_0040C130
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov dword ptr [esp], ebx	2_2_004369C1
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx-443B8DA2h]	2_2_0041D99F
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_0041D99F
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	2_2_0044B9B0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 720EEED4h	2_2_00448240
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+08h]	2_2_00448240
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+6C0B83D6h]	2_2_00448240
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	2_2_0044BA40
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000084h]	2_2_0041E2C6
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov edx, edi	2_2_00423A80
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-79B0712Ah]	2_2_0042DAA2
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx edx, word ptr [eax]	2_2_0042DAA2
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	2_2_0042DAA2
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	2_2_004292A0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then cmp word ptr [eax+edx+02h], 0000h	2_2_00444B60
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov eax, ecx	2_2_0041EB66
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+02h]	2_2_00411368
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	2_2_0041A370
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	2_2_0041D315
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+12EB444Ah]	2_2_0040FB20
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov ebp, eax	2_2_00408B20
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	2_2_0042D32F
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2B12B9D2h]	2_2_0042F3C0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	2_2_0040A390
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	2_2_0040A390
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov dword ptr [esp+04h], eax	2_2_0041B1D8
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_0041B1D8
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4AF8CFA6h]	2_2_0041B1D8
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	2_2_0041B1D8
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	2_2_0041B1D8
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+03h]	2_2_00424430
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_004374D1
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+5Dh]	2_2_0040DC9E
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00432540
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_0041B55A
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4AF8CFA6h]	2_2_0041B55A
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	2_2_0041B55A
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	2_2_0041B55A
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+2Ch]	2_2_00430650
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-52h]	2_2_00430670
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_00433EE0
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	2_2_0041EEFE
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000084h]	2_2_0041EEFE
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	2_2_0044B680
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+03h]	2_2_00425F40
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 8D94E5DFh	2_2_00444750
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax]	2_2_00444750
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then jmp eax	2_2_0040F769
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ebp+02h]	2_2_00429F30
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68h]	2_2_0041FF37
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+62h]	2_2_00412F82
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+08h]	2_2_00422792
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	2_2_0044B790
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	2_2_0044B7A9
Source: C:\Users\user\Desktop\0V0Q7kWH0N.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	2_2_0044B7AB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: arisechairedd.shop
Source: global traffic	DNS traffic detected: DNS query: begindecafer.world

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0V0Q7kWH0N.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
0V0Q7kWH0N.exe