Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:Setup.exe
Analysis ID:1639968
MD5:8a443990a56e497ab193daa5f0fa7514
SHA1:558fa8b2f21077a05a894380f0474bec95c9ca7f
SHA256:8caf2efa4d3943f36cf837549f6ab7180a4d1ab36bb6334c9900a65ced71d53e
Tags:AutoITexeLummaStealeruser-aachum
Infos:

Detection

Score:92
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Drops PE files with a suspicious file extension
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • Setup.exe (PID: 7088 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 8A443990A56E497AB193DAA5F0FA7514)
    • cmd.exe (PID: 3240 cmdline: "C:\Windows\system32\cmd.exe" /c expand Collapse.mp4 Collapse.mp4.bat & Collapse.mp4.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • expand.exe (PID: 7592 cmdline: expand Collapse.mp4 Collapse.mp4.bat MD5: 544B0DBFF3F393BCE8BB9D815F532D51)
      • tasklist.exe (PID: 7100 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 2044 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 8220 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 8228 cmdline: findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 8268 cmdline: cmd /c md 332790 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • extrac32.exe (PID: 8284 cmdline: extrac32 /Y /E Tit.mp4 MD5: 9472AAB6390E4F1431BAA912FCFF9707)
      • findstr.exe (PID: 8304 cmdline: findstr /V "Essence" Ensemble MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 8324 cmdline: cmd /c copy /b 332790\Surveys.com + Sage + Beaches + House + Camera + Lunch + Clip + Api + Distributors + Hardware + Lincoln + Conclusions 332790\Surveys.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • cmd.exe (PID: 8340 cmdline: cmd /c copy /b ..\Deadly.mp4 + ..\Blah.mp4 + ..\Lighting.mp4 + ..\Shark.mp4 + ..\Birthday.mp4 + ..\Picked.mp4 + ..\South.mp4 + ..\States.mp4 + ..\Apparel.mp4 x MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Surveys.com (PID: 8356 cmdline: Surveys.com x MD5: 62D09F076E6E0240548C2F837536A46A)
      • choice.exe (PID: 8372 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

barindex
Sigma detected: Search for Antivirus process
Source: Process startedAuthor: Joe Security: Data: Command: findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" , CommandLine: findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c expand Collapse.mp4 Collapse.mp4.bat & Collapse.mp4.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3240, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" , ProcessId: 8228, ProcessName: findstr.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-16T19:25:13.327080+010020283713Unknown Traffic192.168.2.549732104.21.112.1443TCP
2025-03-16T19:25:14.764124+010020283713Unknown Traffic192.168.2.549733104.21.112.1443TCP
2025-03-16T19:25:16.090486+010020283713Unknown Traffic192.168.2.549734104.21.112.1443TCP
2025-03-16T19:25:17.668007+010020283713Unknown Traffic192.168.2.549735104.21.112.1443TCP
2025-03-16T19:25:19.418475+010020283713Unknown Traffic192.168.2.549736104.21.112.1443TCP
2025-03-16T19:25:20.763201+010020283713Unknown Traffic192.168.2.549737104.21.112.1443TCP
2025-03-16T19:25:23.267623+010020283713Unknown Traffic192.168.2.549738104.21.112.1443TCP
2025-03-16T19:25:26.118006+010020283713Unknown Traffic192.168.2.549739191.101.230.18443TCP
2025-03-16T19:25:28.972642+010020283713Unknown Traffic192.168.2.549745162.125.66.18443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://gunlovers.top/BjkwhAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: Setup.exeVirustotal: Detection: 40%Perma Link
Source: Setup.exeReversingLabs: Detection: 25%
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
Source: Setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49738 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.125.66.18:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00406850 FindFirstFileW,FindClose,0_2_00406850
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C26
Source: global trafficHTTP traffic detected: GET /scl/fi/t79mlwxgrgbr8pydnzmt7/88?rlkey=gx7qe6or05g0bb9micjcf77ti&st=283ybem9&dl=1 HTTP/1.1Connection: Keep-AliveHost: www.dropbox.com
Source: Joe Sandbox ViewIP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox ViewIP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox ViewIP Address: 162.125.66.18 162.125.66.18
Source: Joe Sandbox ViewIP Address: 191.101.230.18 191.101.230.18
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49732 -> 104.21.112.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49733 -> 104.21.112.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49736 -> 104.21.112.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49734 -> 104.21.112.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49735 -> 104.21.112.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49738 -> 104.21.112.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49737 -> 104.21.112.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49745 -> 162.125.66.18:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49739 -> 191.101.230.18:443
Source: global trafficHTTP traffic detected: POST /Bjkwh HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 51Host: gunlovers.top
Source: global trafficHTTP traffic detected: POST /Bjkwh HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CLiUMA72g1v4SfaUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14908Host: gunlovers.top
Source: global trafficHTTP traffic detected: POST /Bjkwh HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ddPrCT4T4vb89NUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15052Host: gunlovers.top
Source: global trafficHTTP traffic detected: POST /Bjkwh HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0uw75EaQZi6iUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20531Host: gunlovers.top
Source: global trafficHTTP traffic detected: POST /Bjkwh HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=g8lJZ5cDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2511Host: gunlovers.top
Source: global trafficHTTP traffic detected: POST /Bjkwh HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7Z35nqFGmUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 574781Host: gunlovers.top
Source: global trafficHTTP traffic detected: POST /Bjkwh HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 89Host: gunlovers.top
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /scl/fi/t79mlwxgrgbr8pydnzmt7/88?rlkey=gx7qe6or05g0bb9micjcf77ti&st=283ybem9&dl=1 HTTP/1.1Connection: Keep-AliveHost: www.dropbox.com
Source: global trafficDNS traffic detected: DNS query: EJianfplmOHpdTZrCvPPjySNcx.EJianfplmOHpdTZrCvPPjySNcx
Source: global trafficDNS traffic detected: DNS query: gunlovers.top
Source: global trafficDNS traffic detected: DNS query: www.suarakutim.com
Source: global trafficDNS traffic detected: DNS query: www.dropbox.com
Source: unknownHTTP traffic detected: POST /Bjkwh HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 51Host: gunlovers.top
Source: Surveys.com.2.dr, Conclusions.14.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Surveys.com.2.dr, Conclusions.14.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Surveys.com.2.dr, Conclusions.14.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Surveys.com.2.dr, Conclusions.14.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Surveys.com.2.dr, Conclusions.14.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Setup.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Surveys.com.2.dr, Conclusions.14.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Surveys.com.2.dr, Conclusions.14.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Surveys.com.2.dr, Conclusions.14.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Surveys.com.2.dr, Conclusions.14.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Surveys.com.2.dr, Conclusions.14.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Surveys.com.2.dr, Conclusions.14.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Surveys.com, 00000012.00000000.1312408850.0000000000695000.00000002.00000001.01000000.00000007.sdmp, Surveys.com.2.dr, Lincoln.14.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: Surveys.com.2.dr, Conclusions.14.drString found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Conclusions.14.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49738 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.125.66.18:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_004056BB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004056BB
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040350A
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Windows\DifferentCwJump to behavior
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Windows\DemonstratedEvanescenceJump to behavior
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Windows\EquipmentOemJump to behavior
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Windows\StudentsWellsJump to behavior
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\332790\Surveys.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
Source: Setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal92.spyw.evad.winEXE@28/27@4/3
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040350A
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00404967 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404967
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_004021AA CoCreateInstance,0_2_004021AA
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3596:120:WilError_03
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsh17D3.tmpJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Collapse.mp4 Collapse.mp4.bat & Collapse.mp4.bat
Source: Setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\Setup.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Setup.exeVirustotal: Detection: 40%
Source: Setup.exeReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\Setup.exeFile read: C:\Users\user\Desktop\Setup.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Collapse.mp4 Collapse.mp4.bat & Collapse.mp4.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Collapse.mp4 Collapse.mp4.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 332790
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Tit.mp4
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Essence" Ensemble
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 332790\Surveys.com + Sage + Beaches + House + Camera + Lunch + Clip + Api + Distributors + Hardware + Lincoln + Conclusions 332790\Surveys.com
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Deadly.mp4 + ..\Blah.mp4 + ..\Lighting.mp4 + ..\Shark.mp4 + ..\Birthday.mp4 + ..\Picked.mp4 + ..\South.mp4 + ..\States.mp4 + ..\Apparel.mp4 x
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\332790\Surveys.com Surveys.com x
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Collapse.mp4 Collapse.mp4.bat & Collapse.mp4.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Collapse.mp4 Collapse.mp4.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 332790Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Tit.mp4Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Essence" Ensemble Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 332790\Surveys.com + Sage + Beaches + House + Camera + Lunch + Clip + Api + Distributors + Hardware + Lincoln + Conclusions 332790\Surveys.comJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Deadly.mp4 + ..\Blah.mp4 + ..\Lighting.mp4 + ..\Shark.mp4 + ..\Birthday.mp4 + ..\Picked.mp4 + ..\South.mp4 + ..\States.mp4 + ..\Apparel.mp4 xJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\332790\Surveys.com Surveys.com xJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\expand.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: webio.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Setup.exeStatic file information: File size 35651546 > 1048576
Source: Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Persistence and Installation Behavior

barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\332790\Surveys.comJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\332790\Surveys.comJump to dropped file
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.com TID: 8916Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00406850 FindFirstFileW,FindClose,0_2_00406850
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C26
Source: C:\Users\user\Desktop\Setup.exeAPI call chain: ExitProcess graph end nodegraph_0-3369
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Collapse.mp4 Collapse.mp4.bat & Collapse.mp4.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Collapse.mp4 Collapse.mp4.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 332790Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Tit.mp4Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Essence" Ensemble Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 332790\Surveys.com + Sage + Beaches + House + Camera + Lunch + Clip + Api + Distributors + Hardware + Lincoln + Conclusions 332790\Surveys.comJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Deadly.mp4 + ..\Blah.mp4 + ..\Lighting.mp4 + ..\Shark.mp4 + ..\Birthday.mp4 + ..\Picked.mp4 + ..\South.mp4 + ..\States.mp4 + ..\Apparel.mp4 xJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\332790\Surveys.com Surveys.com xJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
Source: Surveys.com, 00000012.00000000.1312320401.0000000000683000.00000002.00000001.01000000.00000007.sdmp, Surveys.com.2.dr, Lincoln.14.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040350A
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comDirectory queried: C:\Users\user\Documents\RAYHIWGKDIJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
Source: C:\Users\user\AppData\Local\Temp\332790\Surveys.comDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts121
Windows Management Instrumentation		1
Scripting		1
Access Token Manipulation		11
Masquerading		2
OS Credential Dumping		21
Security Software Discovery		Remote Services31
Data from Local System		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		12
Process Injection		21
Virtualization/Sandbox Evasion		LSASS Memory21
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Clipboard Data		1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Access Token Manipulation		Security Account Manager3
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Process Injection		NTDS12
File and Directory Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets25
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.