Windows Analysis Report
80441fcf.exe

Overview

General Information

Sample name: 80441fcf.exe
Analysis ID: 1480529
MD5: d3c1c1a07fc43292e7e29e57c752d4c5
SHA1: 378c2bf9ece8f5db60f56fda569d24c413d64b55
SHA256: 80441fcf20760b653d36c4bc78c58c9e05b190e811767c7ed523a904e53b0684
Tags: exe
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Sigma detected: Search for Antivirus process
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file does not import any functions
PE file overlay found
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Execution of Suspicious File Type Extension
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 80441fcf.exe Avira: detected
Antivirus detection for URL or domain
Source: technologyenterdo.shop Avira URL Cloud: Label: malware
Source: https://assumptionflattyou.shop/api Avira URL Cloud: Label: malware
Source: associationokeo.shop Avira URL Cloud: Label: malware
Source: turkeyunlikelyofw.shop Avira URL Cloud: Label: malware
Source: detectordiscusser.shop Avira URL Cloud: Label: malware
Source: https://assumptionflattyou.shop:443/api Avira URL Cloud: Label: malware
Found malware configuration
Source: 0000000C.00000002.2541661745.0000000003CF0000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: LummaC {"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "edurestunningcrackyow.fun", "detectordiscusser.shop", "problemregardybuiwo.fun", "lighterepisodeheighte.fun", "technologyenterdo.shop", "assumptionflattyou.shop"], "Build id": "HpOoIh--@Zakielk"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 97.7% probability
Sample uses string decryption to hide its real strings
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String decryptor: associationokeo.shop
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String decryptor: turkeyunlikelyofw.shop
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String decryptor: pooreveningfuseor.pw
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String decryptor: edurestunningcrackyow.fun
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String decryptor: detectordiscusser.shop
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String decryptor: problemregardybuiwo.fun
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String decryptor: lighterepisodeheighte.fun
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String decryptor: technologyenterdo.shop
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String decryptor: assumptionflattyou.shop
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String decryptor: HpOoIh--@Zakielk
Uses 32bit PE files
Source: 80441fcf.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:64745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:64747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:64748 version: TLS 1.2
Source: Binary string: Z:\7zsfxmm-cd920c2bb1fac536108acd5da87f93b5cd38e3fa\Output\Win32\7ZSfxMod.pdb source: 80441fcf.exe
Source: Binary string: Z:\7zsfxmm-cd920c2bb1fac536108acd5da87f93b5cd38e3fa\Output\Win32\7ZSfxMod.pdbt?= source: 80441fcf.exe
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Directory queried: number of queries: 1001
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_0040325A FindFirstFileW,FindClose,SetLastError,CompareFileTime, 0_2_0040325A
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_00402B9F FindFirstFileW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW, 0_2_00402B9F
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_00402CB4 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW, 0_2_00402CB4
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008BE1AC GetFileAttributesW,FindFirstFileW,FindClose, 12_2_008BE1AC
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008BD98E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 12_2_008BD98E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008CA29A FindFirstFileW,Sleep,FindNextFileW,FindClose, 12_2_008CA29A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008C6406 FindFirstFileW,FindNextFileW,FindClose, 12_2_008C6406
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_0088C5F3 FindFirstFileExW, 12_2_0088C5F3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008C70FE FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 12_2_008C70FE
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008C705D FindFirstFileW,FindClose, 12_2_008C705D
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008BD65B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 12_2_008BD65B
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008C9DB1 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 12_2_008C9DB1
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Cookbook Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Increasingly Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: associationokeo.shop
Source: Malware configuration extractor URLs: turkeyunlikelyofw.shop
Source: Malware configuration extractor URLs: pooreveningfuseor.pw
Source: Malware configuration extractor URLs: edurestunningcrackyow.fun
Source: Malware configuration extractor URLs: detectordiscusser.shop
Source: Malware configuration extractor URLs: problemregardybuiwo.fun
Source: Malware configuration extractor URLs: lighterepisodeheighte.fun
Source: Malware configuration extractor URLs: technologyenterdo.shop
Source: Malware configuration extractor URLs: assumptionflattyou.shop
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: assumptionflattyou.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 57Host: assumptionflattyou.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 13683Host: assumptionflattyou.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 16226Host: assumptionflattyou.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20570Host: assumptionflattyou.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1270Host: assumptionflattyou.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 555626Host: assumptionflattyou.shop
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008CD5B3 InternetReadFile,SetEvent,GetLastError,SetEvent, 12_2_008CD5B3
Source: global traffic DNS traffic detected: DNS query: qBnWsPFfTrJBhDSbGyd.qBnWsPFfTrJBhDSbGyd
Source: global traffic DNS traffic detected: DNS query: assumptionflattyou.shop
Source: global traffic DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: assumptionflattyou.shop
Source: 80441fcf.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: 80441fcf.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 80441fcf.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 80441fcf.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 80441fcf.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 80441fcf.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 80441fcf.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 80441fcf.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 80441fcf.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp, 80441fcf.exe String found in binary or memory: http://ocsp.digicert.com0
Source: 80441fcf.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: 80441fcf.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: 80441fcf.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Apply.pif, 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmp, Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: 80441fcf.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://assumptionflattyou.shop/
Source: Apply.pif, 0000000C.00000002.2540514677.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://assumptionflattyou.shop/4
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://assumptionflattyou.shop/Pa
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A8D000.00000004.00000800.00020000.00000000.sdmp, Apply.pif, 0000000C.00000002.2541881503.0000000004A74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://assumptionflattyou.shop/api
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://assumptionflattyou.shop/apir
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://assumptionflattyou.shop/apis
Source: Apply.pif, 0000000C.00000002.2540514677.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://assumptionflattyou.shop/apiy
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://assumptionflattyou.shop/os
Source: Apply.pif, 0000000C.00000002.2540514677.0000000001620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://assumptionflattyou.shop:443/api
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Apply.pif.10.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 64745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64748
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64745
Source: unknown HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:64745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:64747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.163.54:443 -> 192.168.2.5:64748 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_00406747 SetWindowsHookExW 00000002,Function_000075C3,00000000,00000000 0_2_00406747
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008CF286 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 12_2_008CF286
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008CF4F1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 12_2_008CF4F1
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008CF286 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 12_2_008CF286
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008BA36F GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 12_2_008BA36F
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008E9C62 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 12_2_008E9C62
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008C448D: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle, 12_2_008C448D
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008B18E3 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 12_2_008B18E3
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008BEF37 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 12_2_008BEF37
Detected potential crypto function
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_00404E5F 0_2_00404E5F
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_0041B853 0_2_0041B853
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_004150AE 0_2_004150AE
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_004161F1 0_2_004161F1
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_00416A1D 0_2_00416A1D
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_004183B0 0_2_004183B0
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_0041B4E1 0_2_0041B4E1
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_0041649B 0_2_0041649B
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_0040AD0B 0_2_0040AD0B
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_0040F5E4 0_2_0040F5E4
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_00411D80 0_2_00411D80
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_0041B5BB 0_2_0041B5BB
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_00415E7F 0_2_00415E7F
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_00416762 0_2_00416762
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_0041379E 0_2_0041379E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008581B0 12_2_008581B0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_00872282 12_2_00872282
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_0088A23E 12_2_0088A23E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_0085E4CB 12_2_0085E4CB
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_0086C4DD 12_2_0086C4DD
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008DC5CB 12_2_008DC5CB
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_00858690 12_2_00858690
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008C272F 12_2_008C272F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_0088E852 12_2_0088E852
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008B8991 12_2_008B8991
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_00886ABB 12_2_00886ABB
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_00858AF0 12_2_00858AF0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_0086CC3E 12_2_0086CC3E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_0087CDF0 12_2_0087CDF0
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_0085D080 12_2_0085D080
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008E5033 12_2_008E5033
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_00887129 12_2_00887129
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008716E4 12_2_008716E4
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_00871A56 12_2_00871A56
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_00869BAD 12_2_00869BAD
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_00877B6B 12_2_00877B6B
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_00877D9A 12_2_00877D9A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_00871D00 12_2_00871D00
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_00871FC7 12_2_00871FC7
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif F58D3A4B2F3F7F10815C24586FAE91964EEED830369E7E0701B43895B0CEFBD3
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: String function: 00870D80 appears 45 times
PE / OLE file has an invalid certificate
Source: 80441fcf.exe Static PE information: invalid certificate
PE file does not import any functions
Source: Cookbook.0.dr Static PE information: No import functions for PE file found
PE file overlay found
Source: Cookbook.0.dr Static PE information: Data appended to the last section found
Uses 32bit PE files
Source: 80441fcf.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@23/9@3/2
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_00407280 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,lstrcpyW,lstrcpyW,lstrcpyW,LocalFree, 0_2_00407280
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008B17A1 AdjustTokenPrivileges,CloseHandle, 12_2_008B17A1
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008B1DA5 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 12_2_008B1DA5
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008C593C SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 12_2_008C593C
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008BDAC1 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification, 12_2_008BDAC1
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_004027BC _wtol,SHGetSpecialFolderPathW,_wtol,CoCreateInstance, 0_2_004027BC
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_00407483 SystemParametersInfoW,GetDC,GetDeviceCaps,MulDiv,ReleaseDC,GetModuleHandleW,FindResourceA,LoadResource,LockResource,DialogBoxIndirectParamW, 0_2_00407483
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2228:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1352:120:WilError_03
Source: C:\Users\user\Desktop\80441fcf.exe File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000 Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Inventory Inventory.bat & Inventory.bat & exit
Source: 80441fcf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\80441fcf.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe File read: C:\Users\user\Desktop\80441fcf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\80441fcf.exe "C:\Users\user\Desktop\80441fcf.exe"
Source: C:\Users\user\Desktop\80441fcf.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\80441fcf.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Inventory Inventory.bat & Inventory.bat & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 5758
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Cookbook + Increasingly + Rounds + Affordable 5758\Apply.pif
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Ink 5758\o
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif 5758\Apply.pif 5758\o
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Users\user\Desktop\80441fcf.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Inventory Inventory.bat & Inventory.bat & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 5758 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Cookbook + Increasingly + Rounds + Affordable 5758\Apply.pif Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Ink 5758\o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif 5758\Apply.pif 5758\o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1 Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: 80441fcf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Z:\7zsfxmm-cd920c2bb1fac536108acd5da87f93b5cd38e3fa\Output\Win32\7ZSfxMod.pdb source: 80441fcf.exe
Source: Binary string: Z:\7zsfxmm-cd920c2bb1fac536108acd5da87f93b5cd38e3fa\Output\Win32\7ZSfxMod.pdbt?= source: 80441fcf.exe
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_00854E68 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 12_2_00854E68
PE file contains an invalid checksum
Source: Cookbook.0.dr Static PE information: real checksum: 0xf5a21 should be: 0x427ba
Source: 80441fcf.exe Static PE information: real checksum: 0xf1ab1 should be: 0xf50ec
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_0041A84C push ecx; ret 0_2_0041A85C
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_0041ACD6 push ecx; ret 0_2_0041ACE9
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_0041A774 push eax; ret 0_2_0041A792
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_3_05AE9048 push ecx; retf 12_3_05AE904A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_00870DC6 push ecx; ret 12_2_00870DD9

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\80441fcf.exe File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Cookbook Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\80441fcf.exe File created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Cookbook Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008E23FC IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 12_2_008E23FC
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_0086F64C GetForegroundWindow,FindWindowW,IsIconic,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,ShowWindow, 12_2_0086F64C
Source: C:\Users\user\Desktop\80441fcf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif System information queried: FirmwareTableInformation Jump to behavior
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\80441fcf.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Cookbook Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif API coverage: 4.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif TID: 5264 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif TID: 2968 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_0040325A FindFirstFileW,FindClose,SetLastError,CompareFileTime, 0_2_0040325A
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_00402B9F FindFirstFileW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW, 0_2_00402B9F
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_00402CB4 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW, 0_2_00402CB4
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008BE1AC GetFileAttributesW,FindFirstFileW,FindClose, 12_2_008BE1AC
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008BD98E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 12_2_008BD98E
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008CA29A FindFirstFileW,Sleep,FindNextFileW,FindClose, 12_2_008CA29A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008C6406 FindFirstFileW,FindNextFileW,FindClose, 12_2_008C6406
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_0088C5F3 FindFirstFileExW, 12_2_0088C5F3
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008C70FE FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 12_2_008C70FE
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008C705D FindFirstFileW,FindClose, 12_2_008C705D
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008BD65B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 12_2_008BD65B
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008C9DB1 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 12_2_008C9DB1
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_00854E68 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 12_2_00854E68
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Cookbook Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\Increasingly Jump to behavior
Source: Apply.pif, 0000000C.00000002.2541325415.0000000003B0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: Apply.pif, 0000000C.00000003.2482088449.0000000004B2C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696428655p
Source: Apply.pif, 0000000C.00000003.2482088449.0000000004B2C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: YNVMware
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A04000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Process information queried: ProcessInformation Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008CF229 BlockInput, 12_2_008CF229
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_0041AF8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0041AF8A
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_00854E68 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 12_2_00854E68
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_00875038 mov eax, dword ptr fs:[00000030h] 12_2_00875038
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008B1244 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 12_2_008B1244
Enables debug privileges
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_0041B0EF SetUnhandledExceptionFilter, 0_2_0041B0EF
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_0041B2A5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0041B2A5
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_0041AF8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0041AF8A
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008828E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_008828E2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_00870B8F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00870B8F
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_00870D25 SetUnhandledExceptionFilter, 12_2_00870D25
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_00870F71 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_00870F71

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: associationokeo.shop
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: turkeyunlikelyofw.shop
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: pooreveningfuseor.pw
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: edurestunningcrackyow.fun
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: detectordiscusser.shop
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: problemregardybuiwo.fun
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: lighterepisodeheighte.fun
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: technologyenterdo.shop
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: assumptionflattyou.shop
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008B18E3 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 12_2_008B18E3
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_00401B98 ShellExecuteExW,WaitForSingleObject,CloseHandle, 0_2_00401B98
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_0086F64C GetForegroundWindow,FindWindowW,IsIconic,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,ShowWindow, 12_2_0086F64C
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008BE996 mouse_event, 12_2_008BE996
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\80441fcf.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Inventory Inventory.bat & Inventory.bat & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 5758 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Cookbook + Increasingly + Rounds + Affordable 5758\Apply.pif Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Ink 5758\o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif 5758\Apply.pif 5758\o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008B1244 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 12_2_008B1244
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008B1D45 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 12_2_008B1D45
Source: Apply.pif Binary or memory string: Shell_TrayWnd
Source: 80441fcf.exe, 00000000.00000003.2163056937.0000000002710000.00000004.00001000.00020000.00000000.sdmp, Apply.pif, 0000000C.00000000.2190256797.00000000008ED000.00000002.00000001.01000000.00000005.sdmp, Apply.pif, 0000000C.00000003.2426382536.0000000004473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: @EXITMETHOD@EXITCODEShell_TrayWnd-CALLGUICTRLREGISTERLISTVIEWSORTGUICTRLCREATELISTVIEWITEMGUICTRLCREATETREEVIEWITEMGUICTRLCREATECONTEXTMENUONAUTOITEXITUNREGISTERGUICTRLCREATELISTVIEWGUICTRLCREATEMENUITEMGUICTRLCREATECHECKBOXGUICTRLCREATEMONTHCALGUICTRLCREATEPROGRESSGUICTRLCREATETREEVIEWGUICTRLCREATEGRAPHICSTRINGFROMASCIIARRAYONAUTOITEXITREGISTERGUICTRLCREATETABITEMGUICTRLSETDEFBKCOLORINIREADSECTIONNAMESGUICTRLCREATEBUTTONDLLCALLBACKREGISTERGUICTRLCREATEUPDOWNGUICTRLCREATESLIDERSTRINGREGEXPREPLACEOBJCREATEINTERFACEGUICTRLSENDTODUMMYFILECREATESHORTCUTGUICTRLCREATEINPUTSOUNDSETWAVEVOLUMEFILECREATENTFSLINKGUISETACCELERATORSGUICTRLCREATECOMBOGUICTRLSETDEFCOLORPROCESSSETPRIORITYGUICTRLSETRESIZINGSTRINGTOASCIIARRAYDRIVEGETFILESYSTEMGUICTRLCREATEDUMMYTRAYITEMSETONEVENTGUICTRLCREATERADIOWINMINIMIZEALLUNDOGUICTRLCREATEGROUPGUICTRLCREATELABELAUTOITWINSETTITLEGUICTRLSETBKCOLORAUTOITWINGETTITLEGUICTRLSETGRAPHICGUICTRLCREATEDATEGUICTRLCREATEICONGUICTRLSETONEVENTCONSOLEWRITEERRORDLLCALLBACKGETPTRGUICTRLCREATELISTTRAYITEMGETHANDLEFILEFINDFIRSTFILEGUICTRLCREATEEDITGUICTRLCREATEMENUWINMENUSELECTITEMGUICTRLSETCURSORDLLSTRUCTGETDATASTATUSBARGETTEXTFILERECYCLEEMPTYFILESELECTFOLDERTRAYITEMSETSTATEDLLSTRUCTSETDATATRAYITEMGETSTATEWINGETCLIENTSIZEGUICTRLCREATEAVIHTTPSETUSERAGENTGUICTRLCREATEPICCONTROLGETHANDLEGUIGETCURSORINFOTRAYSETPAUSEICONFILEFINDNEXTFILEINIRENAMESECTIONDLLSTRUCTGETSIZESHELLEXECUTEWAITPROCESSWAITCLOSEGUICTRLCREATETABFILEGETSHORTNAMEWINWAITNOTACTIVEGUICTRLCREATEOBJGUICTRLGETHANDLESTRINGTRIMRIGHTGUICTRLSETLIMITGUICTRLSETIMAGEINIWRITESECTIONCONTROLTREEVIEWAUTOITSETOPTIONGUICTRLSETCOLORDLLSTRUCTGETPTRADLIBUNREGISTERDRIVESPACETOTALGUICTRLSETSTATEWINGETCLASSLISTGUICTRLGETSTATEFILEGETSHORTCUTDLLSTRUCTCREATEPROCESSGETSTATSCONTROLGETFOCUSDLLCALLBACKFREEGUICTRLSETSTYLEFILEREADTOARRAYTRAYITEMSETTEXTCONTROLLISTVIEWTRAYITEMGETTEXTFILEGETENCODINGFILEGETLONGNAMEGUICTRLSENDMSGSENDKEEPACTIVEDRIVESPACEFREEFILEOPENDIALOGGUICTRLRECVMSGCONTROLCOMMANDSTRINGTOBINARYWINMINIMIZEALLSTRINGISXDIGITTRAYSETONEVENTFILESAVEDIALOGDUMMYSPEEDTESTCONTROLGETTEXTMOUSECLICKDRAGGUICTRLSETFONTMOUSEGETCURSORWINGETCARETPOSCONTROLSETTEXTTRAYITEMDELETESTRINGTRIMLEFTDRIVEGETSERIALBINARYTOSTRINGGUICTRLSETDATAINIREADSECTIONUDPCLOSESOCKETCONTROLDISABLETRAYCREATEMENUTCPCLOSESOCKETDLLCALLADDRESSFILEGETVERSIONGUIREGISTERMSGTRAYSETTOOLTIPTRAYCREATEITEMDRIVEGETDRIVESTRINGISASCIISTRINGCOMPARESTRINGISALPHAPROCESSEXISTSSTRINGREVERSESTRINGSTRIPCRSPLASHIMAGEONGUICTRLSETTIPGUISTARTGROUPCONTROLGETPOSFILEGETATTRIBADLIBREGISTERDRIVESETLABELGUICTRLDELETEFILECHANGEDIRFILEWRITELINEPIXELCHECKSUMDRIVEGETLABELGUICTRLSETPOSGUISETBKCOLORPIXELGETCOLORSTRINGISDIGITSTRINGISFLOATWINWAITACTIVESTRINGISALNUMSTRINGISLOWERSTRINGISSPACEGUISETONEVENTSTRINGREPLACESTRINGSTRIPWSCONTROLENABLESTRINGISUPPERWINGETPROCESSFILESETATTRIBCONTROLFOCUSFILEREADLINEPROCESSCLOSEGUISETCURSORSPLASHTEXTONSTRINGFORMATTRAYSETSTATESTRINGREGEXPCONTROLCLICKSHELLEXECUTETRAYSETCLICKWINWAITCLOSEHTTPSETPROXYDRIVEGETTYPEWINGETHANDLECONSOLEWRITEGUIGETSTYLECONTROL
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_0041AAAF cpuid 0_2_0041AAAF
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\80441fcf.exe Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetLastError,GetEnvironmentVariableW,GetLastError,lstrcmpiW,SetLastError,lstrlenA,GetLocaleInfoW,_wtol,MultiByteToWideChar, 0_2_004030A0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\80441fcf.exe Code function: 0_2_00402648 lstrlenW,GetSystemTimeAsFileTime,GetFileAttributesW, 0_2_00402648
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008AE514 GetUserNameW, 12_2_008AE514
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_0088BCA2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 12_2_0088BCA2
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_00854E68 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 12_2_00854E68
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 0000000C.00000002.2541881503.0000000004A04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Apply.pif PID: 6488, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A2F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum-LTC
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A2F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A2F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: Apply.pif, 0000000C.00000002.2541623497.0000000003CB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Apply.pif, 0000000C.00000003.2483458637.0000000004A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Edge/Default/Extensions/ExodusWeb3
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A2F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 80441fcf.exe, 00000000.00000003.2163056937.00000000027A7000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: $airplanespringfieldnice = 'withdrawalarkansascheckinghockeystoredossayingregionchesterappreciationpaymenttaughtdishes'
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\Application Data\Mozilla\Firefox Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: Apply.pif Binary or memory string: WIN_81
Source: Apply.pif Binary or memory string: WIN_XP
Source: Apply.pif Binary or memory string: WIN_XPe
Source: Apply.pif Binary or memory string: WIN_VISTA
Source: Apply.pif.10.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Apply.pif Binary or memory string: WIN_7
Source: Apply.pif Binary or memory string: WIN_8
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Directory queried: C:\Users\user\Documents\AFWAAFRXKO Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Directory queried: C:\Users\user\Documents\WUTJSCBCFX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Directory queried: C:\Users\user\Documents\AFWAAFRXKO Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Directory queried: C:\Users\user\Documents\WUTJSCBCFX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Directory queried: C:\Users\user\Documents\WUTJSCBCFX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Directory queried: number of queries: 1001
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: Apply.pif PID: 6488, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 0000000C.00000002.2541881503.0000000004A04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Apply.pif PID: 6488, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008D198B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 12_2_008D198B
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif Code function: 12_2_008D1F8D socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 12_2_008D1F8D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1480529 Sample: 80441fcf.exe Startdate: 24/07/2024 Architecture: WINDOWS Score: 100 36 assumptionflattyou.shop 2->36 38 qBnWsPFfTrJBhDSbGyd.qBnWsPFfTrJBhDSbGyd 2->38 40 198.187.3.20.in-addr.arpa 2->40 50 Found malware configuration 2->50 52 Antivirus detection for URL or domain 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 5 other signatures 2->56 8 80441fcf.exe 10 2->8         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\Temp\...\Cookbook, PE32 8->30 dropped 58 Found many strings related to Crypto-Wallets (likely being stolen) 8->58 60 Contains functionality to register a low level keyboard hook 8->60 12 cmd.exe 1 8->12         started        15 conhost.exe 8->15         started        signatures6 process7 signatures8 62 Uses ping.exe to sleep 12->62 64 Drops PE files with a suspicious file extension 12->64 66 Uses ping.exe to check the status of other devices and networks 12->66 17 Apply.pif 12->17         started        21 PING.EXE 1 12->21         started        23 cmd.exe 2 12->23         started        26 7 other processes 12->26 process9 dnsIp10 32 assumptionflattyou.shop 172.67.163.54, 443, 49731, 49733 CLOUDFLARENETUS United States 17->32 42 Query firmware table information (likely to detect VMs) 17->42 44 Found many strings related to Crypto-Wallets (likely being stolen) 17->44 46 Found API chain indicative of sandbox detection 17->46 48 3 other signatures 17->48 34 127.0.0.1 unknown unknown 21->34 28 C:\Users\user\AppData\Local\...\Apply.pif, PE32 23->28 dropped file11 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.163.54
 assumptionflattyou.shop United States
13335 CLOUDFLARENETUS true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
assumptionflattyou.shop 172.67.163.54 true
qBnWsPFfTrJBhDSbGyd.qBnWsPFfTrJBhDSbGyd unknown unknown
198.187.3.20.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
edurestunningcrackyow.fun true
  • Avira URL Cloud: safe
 unknown
problemregardybuiwo.fun true
  • Avira URL Cloud: safe
 unknown
technologyenterdo.shop true
  • Avira URL Cloud: malware
 unknown
pooreveningfuseor.pw true
  • Avira URL Cloud: safe
 unknown
associationokeo.shop true
  • Avira URL Cloud: malware
 unknown
https://assumptionflattyou.shop/api false
  • Avira URL Cloud: malware
 unknown
turkeyunlikelyofw.shop true
  • Avira URL Cloud: malware
 unknown
detectordiscusser.shop true
  • Avira URL Cloud: malware
 unknown
lighterepisodeheighte.fun true
  • Avira URL Cloud: safe
 unknown
assumptionflattyou.shop true
  • Avira URL Cloud: safe
 unknown