Windows Analysis Report
je9t0bDEVN.exe

ID:	1436381
Product:	CloudBasic
Start time:	00:01:04
Start date:	05.05.2024
Sample:	je9t0bDEVN
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	0df8abbbbc63aa2e171466a6cf93b172
SHA1:	fb8e1da97308f5466ce438222a0ea1c28efaaf01
SHA256:	4dc3d7a6e1bef7cabd6e5e6681f3640628887a6beea0e096416baff784df7a3b
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_je9t0bDEVN.exe_648ca4123cddb9edd345697083aaa0e61a1f192b_cdffa1af_d84b65e4-ae86-4cb4-b099-e9f07225f6bb\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	05D5C8CEF43CB932CC5ED4B848FB836E	44F21C588EF341B2BB67E93BFF3C567B78F5A390	D4359C3A21DA46521306438E2C8B02022B1C5CA1577B9C61B9A607101ED73B66
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8404.tmp.dmp	Mini DuMP crash report, 14 streams, Sat May 4 22:01:50 2024, 0x1205a4 type	23B7FBD390F1E2A4ED0AA00027BA54AE	0D2E3B3F477B5AD96992F23080DD19B20EB5B0B1	2DBAE63C1DA21F7B0AA1ED8F074FAE31FE936366373DFE0AF9B956D95EC53B14
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8FEC.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	20CC278C32BC50BDEF18FFBD7F26D3D9	F08D51AC9095716B628B9F42BF4D494807BE8495	9E6218AF948FC949027BD9ACEF9AE870307308649418040638CE78E93F2571B3
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9135.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	97B151E0B756D738B5E00DB2358583EF	86CAAA71F35E64C42C5B62B003669A4331A2AC48	15F1CEEF5201269D6EE0975ECADECCD87A3C54C0978EB6B748A40160B0B3C2E0
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	5469CCC6628BA00A624F970F05166FF2	9937C9A36CB228960B6A9D7B091B5892A6E56C0D	1FB4999B66C9510BAF0E6700BF758DDB6A3043284E1274EF164BDB889D5256A1

AV Detection

Source: revivalsecularas.pw	Avira URL Cloud: Label: malware
Source: bloockflad.pw	Avira URL Cloud: Label: malware
Source: barbecueappledos.pw	Avira URL Cloud: Label: malware
Source: keewoolas.pw	Avira URL Cloud: Label: malware
Source: killredls.pw	Avira URL Cloud: Label: malware
Source: steycools.pw	Avira URL Cloud: Label: malware
Source: bookgames.pw	Avira URL Cloud: Label: malware
Source: moskhoods.pw	Avira URL Cloud: Label: malware
Source: dayzilons.pw	Avira URL Cloud: Label: malware

Source: je9t0bDEVN.exe

Malware Configuration Extractor: LummaC {"C2 url": ["barbecueappledos.pw", "killredls.pw", "keewoolas.pw", "moskhoods.pw", "dayzilons.pw", "revivalsecularas.pw", "steycools.pw", "bloockflad.pw", "bookgames.pw"], "Build id": "KjGtqi--Zinfandel"}

Source: bookgames.pw	Virustotal: Detection: 15%			Perma Link
Source: bloockflad.pw	Virustotal: Detection: 14%			Perma Link
Source: barbecueappledos.pw	Virustotal: Detection: 11%			Perma Link
Source: revivalsecularas.pw	Virustotal: Detection: 15%			Perma Link
Source: killredls.pw	Virustotal: Detection: 15%			Perma Link
Source: keewoolas.pw	Virustotal: Detection: 15%			Perma Link
Source: moskhoods.pw	Virustotal: Detection: 16%			Perma Link
Source: steycools.pw	Virustotal: Detection: 14%			Perma Link
Source: dayzilons.pw	Virustotal: Detection: 12%			Perma Link

Source: je9t0bDEVN.exe	ReversingLabs: Detection: 70%
Source: je9t0bDEVN.exe	Virustotal: Detection: 48%			Perma Link

Source: je9t0bDEVN.exe

Joe Sandbox ML: detected

Source: je9t0bDEVN.exe	String decryptor: barbecueappledos.pw
Source: je9t0bDEVN.exe	String decryptor: killredls.pw
Source: je9t0bDEVN.exe	String decryptor: keewoolas.pw
Source: je9t0bDEVN.exe	String decryptor: moskhoods.pw
Source: je9t0bDEVN.exe	String decryptor: dayzilons.pw
Source: je9t0bDEVN.exe	String decryptor: revivalsecularas.pw
Source: je9t0bDEVN.exe	String decryptor: steycools.pw
Source: je9t0bDEVN.exe	String decryptor: bloockflad.pw
Source: je9t0bDEVN.exe	String decryptor: bookgames.pw
Source: je9t0bDEVN.exe	String decryptor: lid=%s&j=%s&ver=4.0
Source: je9t0bDEVN.exe	String decryptor: TeslaBrowser/5.5
Source: je9t0bDEVN.exe	String decryptor: - Screen Resoluton:
Source: je9t0bDEVN.exe	String decryptor: - Physical Installed Memory:
Source: je9t0bDEVN.exe	String decryptor: Workgroup: -
Source: je9t0bDEVN.exe	String decryptor: KjGtqi--Zinfandel

Compliance

Source: je9t0bDEVN.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

Source: Malware configuration extractor	URLs: barbecueappledos.pw
Source: Malware configuration extractor	URLs: killredls.pw
Source: Malware configuration extractor	URLs: keewoolas.pw
Source: Malware configuration extractor	URLs: moskhoods.pw
Source: Malware configuration extractor	URLs: dayzilons.pw
Source: Malware configuration extractor	URLs: revivalsecularas.pw
Source: Malware configuration extractor	URLs: steycools.pw
Source: Malware configuration extractor	URLs: bloockflad.pw
Source: Malware configuration extractor	URLs: bookgames.pw

Source: Amcache.hve.4.dr

String found in binary or memory: http://upx.sf.net

System Summary

Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_0041C04D		0_2_0041C04D
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_00451804		0_2_00451804
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_004188AD		0_2_004188AD
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_00428172		0_2_00428172
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_0041D97A		0_2_0041D97A
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_004272D8		0_2_004272D8
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_00409B60		0_2_00409B60
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_0040F3C4		0_2_0040F3C4
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_0041DB99		0_2_0041DB99
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_00404BAE		0_2_00404BAE
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_0044A439		0_2_0044A439
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_0044DDD0		0_2_0044DDD0
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_0040C5DC		0_2_0040C5DC
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_0041F5E4		0_2_0041F5E4
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_0040CF58		0_2_0040CF58
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_0040DF6A		0_2_0040DF6A
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_00413777		0_2_00413777
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_0041BF07		0_2_0041BF07
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_00418F19		0_2_00418F19

Source: C:\Users\user\Desktop\je9t0bDEVN.exe

Code function: String function: 0044D690 appears 34 times

Source: C:\Users\user\Desktop\je9t0bDEVN.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 356

Source: je9t0bDEVN.exe, 00000000.00000000.1177490614.00000000007D7000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameQvConnect32.EXEZ vs je9t0bDEVN.exe
Source: je9t0bDEVN.exe	Binary or memory string: OriginalFilenameQvConnect32.EXEZ vs je9t0bDEVN.exe

Source: je9t0bDEVN.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.troj.evad.winEXE@2/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5992

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3e0d1180-cd5c-4327-90da-ccd17a8cd4f7

Jump to behavior

Source: C:\Users\user\Desktop\je9t0bDEVN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: je9t0bDEVN.exe	ReversingLabs: Detection: 70%
Source: je9t0bDEVN.exe	Virustotal: Detection: 48%

Source: unknown	Process created: C:\Users\user\Desktop\je9t0bDEVN.exe "C:\Users\user\Desktop\je9t0bDEVN.exe"
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 356

Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Section loaded: wininet.dll			Jump to behavior

Source: je9t0bDEVN.exe

Static file information: File size 4132864 > 1048576

Source: je9t0bDEVN.exe

Static PE information: Raw size of ./PING/2 is bigger than: 0x100000 < 0x262000

Data Obfuscation

Source: initial sample

Static PE information: section where entry point is pointing to: ./PING/2

Source: je9t0bDEVN.exe

Static PE information: real checksum: 0x284eca should be: 0x3f6de3

Source: je9t0bDEVN.exe	Static PE information: section name: ./PING/0
Source: je9t0bDEVN.exe	Static PE information: section name: ./PING/1
Source: je9t0bDEVN.exe	Static PE information: section name: ./PING/2

Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_00412B0A push ebx; retf 0004h		0_2_00412B0D
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_00776574 push 0F370C96h; mov dword ptr [esp], esi		0_2_0077657C
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_00401DCF push eax; mov dword ptr [esp], 00000000h		0_2_00401DD4
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_004686B1 push ecx; ret		0_2_004686C4
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_00415F5D push eax; ret		0_2_00415F5E

Source: je9t0bDEVN.exe	Static PE information: section name: .text entropy: 6.8060853503210135
Source: je9t0bDEVN.exe	Static PE information: section name: ./PING/0 entropy: 7.837674875091487

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Anti Debugging

Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_00465ADF mov eax, dword ptr fs:[00000030h]		0_2_00465ADF
Source: C:\Users\user\Desktop\je9t0bDEVN.exe	Code function: 0_2_0045BEE6 mov ecx, dword ptr fs:[00000030h]		0_2_0045BEE6

HIPS / PFW / Operating System Protection Evasion

Source: je9t0bDEVN.exe, 00000000.00000000.1177245730.0000000000481000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: barbecueappledos.pw
Source: je9t0bDEVN.exe, 00000000.00000000.1177245730.0000000000481000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: killredls.pw
Source: je9t0bDEVN.exe, 00000000.00000000.1177245730.0000000000481000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: keewoolas.pw
Source: je9t0bDEVN.exe, 00000000.00000000.1177245730.0000000000481000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: moskhoods.pw
Source: je9t0bDEVN.exe, 00000000.00000000.1177245730.0000000000481000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: dayzilons.pw
Source: je9t0bDEVN.exe, 00000000.00000000.1177245730.0000000000481000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: revivalsecularas.pw
Source: je9t0bDEVN.exe, 00000000.00000000.1177245730.0000000000481000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: steycools.pw
Source: je9t0bDEVN.exe, 00000000.00000000.1177245730.0000000000481000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: bloockflad.pw
Source: je9t0bDEVN.exe, 00000000.00000000.1177245730.0000000000481000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: bookgames.pw

Lowering of HIPS / PFW / Operating System Security Settings

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Source: Yara match

File source: decrypted.binstr, type: MEMORYSTR

Remote Access Functionality

Source: Yara match

File source: decrypted.binstr, type: MEMORYSTR