Edit tour

Windows Analysis Report
OGF4TzdXZ9.exe

Overview

General Information

Sample name:	OGF4TzdXZ9.exe renamed because original name is a hash value
Original sample name:	062afdb00682152a3a158d7b87275c33.exe
Analysis ID:	1664020
MD5:	062afdb00682152a3a158d7b87275c33
SHA1:	62e59357a741789b1c34b0290bc30f873bd0568d
SHA256:	8b4796eb958dcfa36bf80dccc13f7f5a68b3301a1f034cac299a5ddc11d97a92
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

OGF4TzdXZ9.exe (PID: 8172 cmdline: "C:\Users\user\Desktop\OGF4TzdXZ9.exe" MD5: 062AFDB00682152A3A158D7B87275C33)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["clarmodq.top/qoxo", "soursopsf.run/gsoiao", "changeaie.top/geps", "easyupgw.live/eosz", "liftally.top/xasj", "upmodini.digital/gokk", "salaccgfa.top/gsooz", "zestmodp.top/zeda", "xcelmodo.run/nahd"], "Build id": "fd382b4d5e370fed3189565a05700419"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.2805207987.0000000003E38000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
00000001.00000002.2802761052.0000000000D3F000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: OGF4TzdXZ9.exe PID: 8172	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: OGF4TzdXZ9.exe PID: 8172	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.OGF4TzdXZ9.exe.f80000.1.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
1.2.OGF4TzdXZ9.exe.b0000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-13T09:18:41.925229+0200	2028371	3	Unknown Traffic	192.168.2.5	49696	104.21.85.126	443	TCP
2025-04-13T09:18:43.631261+0200	2028371	3	Unknown Traffic	192.168.2.5	49697	104.21.85.126	443	TCP
2025-04-13T09:18:45.157160+0200	2028371	3	Unknown Traffic	192.168.2.5	49698	104.21.85.126	443	TCP
2025-04-13T09:18:46.250940+0200	2028371	3	Unknown Traffic	192.168.2.5	49699	104.21.85.126	443	TCP
2025-04-13T09:18:49.030332+0200	2028371	3	Unknown Traffic	192.168.2.5	49700	104.21.85.126	443	TCP
2025-04-13T09:18:50.345961+0200	2028371	3	Unknown Traffic	192.168.2.5	49701	104.21.85.126	443	TCP
2025-04-13T09:18:52.527823+0200	2028371	3	Unknown Traffic	192.168.2.5	49702	104.21.85.126	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-13T09:18:41.925229+0200	2061392	1	Domain Observed Used for C2 Detected	192.168.2.5	49696	104.21.85.126	443	TCP
2025-04-13T09:18:43.631261+0200	2061392	1	Domain Observed Used for C2 Detected	192.168.2.5	49697	104.21.85.126	443	TCP
2025-04-13T09:18:45.157160+0200	2061392	1	Domain Observed Used for C2 Detected	192.168.2.5	49698	104.21.85.126	443	TCP
2025-04-13T09:18:46.250940+0200	2061392	1	Domain Observed Used for C2 Detected	192.168.2.5	49699	104.21.85.126	443	TCP
2025-04-13T09:18:49.030332+0200	2061392	1	Domain Observed Used for C2 Detected	192.168.2.5	49700	104.21.85.126	443	TCP
2025-04-13T09:18:50.345961+0200	2061392	1	Domain Observed Used for C2 Detected	192.168.2.5	49701	104.21.85.126	443	TCP
2025-04-13T09:18:52.527823+0200	2061392	1	Domain Observed Used for C2 Detected	192.168.2.5	49702	104.21.85.126	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clarmodq .top)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-13T09:18:41.564158+0200	2061391	1	Domain Observed Used for C2 Detected	192.168.2.5	56729	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: OGF4TzdXZ9.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://clarmodq.top/qoxo3	Avira URL Cloud: Label: malware
Source: https://clarmodq.top/qoxoer	Avira URL Cloud: Label: malware
Source: https://clarmodq.top/tk	Avira URL Cloud: Label: malware
Source: https://clarmodq.top/qoxATTO	Avira URL Cloud: Label: malware
Source: https://clarmodq.top/l	Avira URL Cloud: Label: malware
Source: https://clarmodq.top/z	Avira URL Cloud: Label: malware

Found malware configuration

Source: 1.2.OGF4TzdXZ9.exe.b0000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["clarmodq.top/qoxo", "soursopsf.run/gsoiao", "changeaie.top/geps", "easyupgw.live/eosz", "liftally.top/xasj", "upmodini.digital/gokk", "salaccgfa.top/gsooz", "zestmodp.top/zeda", "xcelmodo.run/nahd"], "Build id": "fd382b4d5e370fed3189565a05700419"}

Multi AV Scanner detection for submitted file

Source: OGF4TzdXZ9.exe	ReversingLabs: Detection: 66%
Source: OGF4TzdXZ9.exe	Virustotal: Detection: 59%			Perma Link

Sample uses string decryption to hide its real strings

Source: 1.2.OGF4TzdXZ9.exe.f80000.1.unpack	String decryptor: clarmodq.top/qoxo
Source: 1.2.OGF4TzdXZ9.exe.f80000.1.unpack	String decryptor: soursopsf.run/gsoiao
Source: 1.2.OGF4TzdXZ9.exe.f80000.1.unpack	String decryptor: changeaie.top/geps
Source: 1.2.OGF4TzdXZ9.exe.f80000.1.unpack	String decryptor: easyupgw.live/eosz
Source: 1.2.OGF4TzdXZ9.exe.f80000.1.unpack	String decryptor: liftally.top/xasj
Source: 1.2.OGF4TzdXZ9.exe.f80000.1.unpack	String decryptor: upmodini.digital/gokk
Source: 1.2.OGF4TzdXZ9.exe.f80000.1.unpack	String decryptor: salaccgfa.top/gsooz
Source: 1.2.OGF4TzdXZ9.exe.f80000.1.unpack	String decryptor: zestmodp.top/zeda
Source: 1.2.OGF4TzdXZ9.exe.f80000.1.unpack	String decryptor: xcelmodo.run/nahd

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F9A1DB CryptUnprotectData,		1_2_00F9A1DB
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F9ABFA CryptUnprotectData,CryptUnprotectData,		1_2_00F9ABFA

Source: OGF4TzdXZ9.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.85.126:443 -> 192.168.2.5:49696 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.126:443 -> 192.168.2.5:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.126:443 -> 192.168.2.5:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.126:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.126:443 -> 192.168.2.5:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.126:443 -> 192.168.2.5:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.126:443 -> 192.168.2.5:49702 version: TLS 1.2

Source: OGF4TzdXZ9.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\AdminC7\Workspace\560058365\Project\Debug\Project.pdb source: OGF4TzdXZ9.exe

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx ebx, byte ptr [eax]	1_2_00FCD0F0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx esi, word ptr [ebx]	1_2_00FCB850
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx+000001E4h]	1_2_00F8D840
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_00FB41D1
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then mov byte ptr [edi], cl	1_2_00FB41D1
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then mov dword ptr [esp], eax	1_2_00F91AF8
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then mov dword ptr [esp+04h], edi	1_2_00F9ABFA
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+28h]	1_2_00FAEBD0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], A4BF7AEEh	1_2_00FC5350
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then mov edx, dword ptr [ecx+esi+3Ch]	1_2_00FC5350
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then mov word ptr [ecx], dx	1_2_00FCCD10
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then cmp dword ptr [edx+ebx*8], A0E666EBh	1_2_00FC58C0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+5C150C3Ch]	1_2_00FB081C
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then cmp word ptr [esi+edi+02h], 0000h	1_2_00FB081C
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then mov word ptr [edi], cx	1_2_00FB081C
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+10h]	1_2_00FC2800
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+08h]	1_2_00FC2800
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+04h]	1_2_00FC2800
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then mov byte ptr [edx], cl	1_2_00FAF18A
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+7A0F92D2h]	1_2_00F8C150
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then push esi	1_2_00FA6933
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+0000027Ch]	1_2_00FA2110
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then cmp word ptr [esi+edi+02h], 0000h	1_2_00FB0AE0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then mov word ptr [edi], cx	1_2_00FB0AE0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx ebx, byte ptr [eax]	1_2_00FCD2D0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_00FB2280
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	1_2_00FC3269
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax]	1_2_00FC3269
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then cmp byte ptr [edx+esi], cl	1_2_00F82250
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then mov dword ptr [esp+04h], ebx	1_2_00FA3210
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+000000F0h]	1_2_00FA3210
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00FA3210
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx edx, byte ptr [eax+esi-1E5CF0B0h]	1_2_00FC7BD9
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00FA83C0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_00F9F3B0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_00FBEB90
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then lea ecx, dword ptr [esp+00000138h]	1_2_00F9B36A
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+08h]	1_2_00FB034F
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx edx, byte ptr [eax+esi-1E5CF0B0h]	1_2_00FC7B38
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	1_2_00FB3B20
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax]	1_2_00FC3B1D
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+01h]	1_2_00F81B10
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-7E9317F6h]	1_2_00FA1B10
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+000011C8h]	1_2_00FABB00
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	1_2_00F89CB0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	1_2_00F89CB0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+0D993EE3h]	1_2_00FAD49C
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then mov byte ptr [eax], cl	1_2_00F9D5F0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+28h]	1_2_00FB05AA
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-70h]	1_2_00FC5D90
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then mov edx, esi	1_2_00FA5570
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	1_2_00F81D20
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h	1_2_00FB151C
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+14h]	1_2_00FC9D10
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	1_2_00F81EF0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+10h]	1_2_00FB06C0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	1_2_00FA7EA0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h	1_2_00FA7EA0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+08h]	1_2_00FAFE84
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-349D2938h]	1_2_00F8C7C0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+esi]	1_2_00F8C7C0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then jmp eax	1_2_00F9DF8F
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	1_2_00F8AF10
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then mov byte ptr [eax], cl	1_2_00F9DF0E
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then mov dword ptr [esp+04h], edi	1_2_00F9DF0E
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 4x nop then mov dword ptr [esp+04h], edi	1_2_00F9DF0E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2061391 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clarmodq .top) : 192.168.2.5:56729 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2061392 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI) : 192.168.2.5:49697 -> 104.21.85.126:443
Source: Network traffic	Suricata IDS: 2061392 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI) : 192.168.2.5:49700 -> 104.21.85.126:443
Source: Network traffic	Suricata IDS: 2061392 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI) : 192.168.2.5:49701 -> 104.21.85.126:443
Source: Network traffic	Suricata IDS: 2061392 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI) : 192.168.2.5:49702 -> 104.21.85.126:443
Source: Network traffic	Suricata IDS: 2061392 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI) : 192.168.2.5:49699 -> 104.21.85.126:443
Source: Network traffic	Suricata IDS: 2061392 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI) : 192.168.2.5:49698 -> 104.21.85.126:443
Source: Network traffic	Suricata IDS: 2061392 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI) : 192.168.2.5:49696 -> 104.21.85.126:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: clarmodq.top/qoxo
Source: Malware configuration extractor	URLs: soursopsf.run/gsoiao
Source: Malware configuration extractor	URLs: changeaie.top/geps
Source: Malware configuration extractor	URLs: easyupgw.live/eosz
Source: Malware configuration extractor	URLs: liftally.top/xasj
Source: Malware configuration extractor	URLs: upmodini.digital/gokk
Source: Malware configuration extractor	URLs: salaccgfa.top/gsooz
Source: Malware configuration extractor	URLs: zestmodp.top/zeda
Source: Malware configuration extractor	URLs: xcelmodo.run/nahd

Source: Joe Sandbox View

IP Address: 104.21.85.126 104.21.85.126

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49697 -> 104.21.85.126:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49700 -> 104.21.85.126:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49701 -> 104.21.85.126:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49699 -> 104.21.85.126:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49702 -> 104.21.85.126:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49698 -> 104.21.85.126:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49696 -> 104.21.85.126:443

Source: global traffic	HTTP traffic detected: POST /qoxo HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 41Host: clarmodq.top
Source: global traffic	HTTP traffic detected: POST /qoxo HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=K1GCnIOMKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 14868Host: clarmodq.top
Source: global traffic	HTTP traffic detected: POST /qoxo HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=88QCU4M2pC81User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 15032Host: clarmodq.top
Source: global traffic	HTTP traffic detected: POST /qoxo HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4CIzb58MxE0Yp51ldUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 20546Host: clarmodq.top
Source: global traffic	HTTP traffic detected: POST /qoxo HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=pYOvS09UfKSUr2lKMxjUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 2432Host: clarmodq.top
Source: global traffic	HTTP traffic detected: POST /qoxo HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4MGYIxGSWWhfGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 573087Host: clarmodq.top
Source: global traffic	HTTP traffic detected: POST /qoxo HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 79Host: clarmodq.top

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: clarmodq.top

Source: unknown

HTTP traffic detected: POST /qoxo HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 41Host: clarmodq.top

Source: OGF4TzdXZ9.exe, 00000001.00000003.2723232130.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: OGF4TzdXZ9.exe, 00000001.00000003.2723232130.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: OGF4TzdXZ9.exe, 00000001.00000003.2723232130.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: OGF4TzdXZ9.exe, 00000001.00000003.2723232130.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: OGF4TzdXZ9.exe, 00000001.00000003.2723232130.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: OGF4TzdXZ9.exe, 00000001.00000003.2723232130.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: OGF4TzdXZ9.exe, 00000001.00000003.2723232130.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: OGF4TzdXZ9.exe, 00000001.00000003.2723232130.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: OGF4TzdXZ9.exe, 00000001.00000003.2723232130.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: OGF4TzdXZ9.exe, 00000001.00000003.2723232130.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: OGF4TzdXZ9.exe, 00000001.00000003.2723232130.0000000003C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: OGF4TzdXZ9.exe, 00000001.00000003.2698016199.0000000003C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: OGF4TzdXZ9.exe, 00000001.00000003.2734753909.0000000001407000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2734639193.0000000001406000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2734115752.0000000001406000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: OGF4TzdXZ9.exe, 00000001.00000003.2752625324.0000000001408000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2787998344.0000000001406000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2734639193.0000000001406000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000002.2804300171.0000000001406000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2734115752.0000000001406000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2764918695.0000000001406000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2771163090.0000000001406000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: OGF4TzdXZ9.exe, 00000001.00000003.2698016199.0000000003C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: OGF4TzdXZ9.exe, 00000001.00000003.2698016199.0000000003C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: OGF4TzdXZ9.exe, 00000001.00000003.2698016199.0000000003C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: OGF4TzdXZ9.exe, 00000001.00000003.2795448810.00000000013DB000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000002.2804100526.00000000013DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clarmodq.top/
Source: OGF4TzdXZ9.exe, 00000001.00000003.2692127623.000000000135D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clarmodq.top/l
Source: OGF4TzdXZ9.exe, 00000001.00000003.2734115752.0000000001406000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clarmodq.top/qoxATTO
Source: OGF4TzdXZ9.exe, 00000001.00000003.2722074713.0000000001408000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000002.2804100526.00000000013DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clarmodq.top/qoxo
Source: OGF4TzdXZ9.exe, 00000001.00000003.2692022176.000000000137C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clarmodq.top/qoxo3
Source: OGF4TzdXZ9.exe, 00000001.00000003.2795448810.00000000013DB000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000002.2804100526.00000000013DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clarmodq.top/qoxoer
Source: OGF4TzdXZ9.exe, 00000001.00000003.2795448810.00000000013DB000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000002.2804100526.00000000013DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clarmodq.top/tk
Source: OGF4TzdXZ9.exe, 00000001.00000003.2795448810.00000000013DB000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000002.2804100526.00000000013DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clarmodq.top/z
Source: OGF4TzdXZ9.exe, 00000001.00000003.2752625324.0000000001408000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2787998344.0000000001406000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2734639193.0000000001406000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000002.2804300171.0000000001406000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2734115752.0000000001406000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2764918695.0000000001406000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2771163090.0000000001406000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: OGF4TzdXZ9.exe, 00000001.00000003.2734753909.0000000001407000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2734639193.0000000001406000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2734115752.0000000001406000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: OGF4TzdXZ9.exe, 00000001.00000003.2698016199.0000000003C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: OGF4TzdXZ9.exe, 00000001.00000003.2698016199.0000000003C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: OGF4TzdXZ9.exe, 00000001.00000003.2698016199.0000000003C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: OGF4TzdXZ9.exe, 00000001.00000003.2698016199.0000000003C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: OGF4TzdXZ9.exe, 00000001.00000003.2734115752.0000000001406000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2764918695.0000000001406000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2771163090.0000000001406000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: OGF4TzdXZ9.exe, 00000001.00000003.2724944059.0000000004058000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: OGF4TzdXZ9.exe, 00000001.00000003.2724944059.0000000004058000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: OGF4TzdXZ9.exe, 00000001.00000003.2752625324.0000000001408000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2787998344.0000000001406000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2734639193.0000000001406000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000002.2804300171.0000000001406000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2734115752.0000000001406000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2764918695.0000000001406000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2771163090.0000000001406000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: OGF4TzdXZ9.exe, 00000001.00000003.2734753909.0000000001407000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2734639193.0000000001406000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2734115752.0000000001406000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: OGF4TzdXZ9.exe, 00000001.00000003.2698016199.0000000003C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: OGF4TzdXZ9.exe, 00000001.00000003.2698016199.0000000003C48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: OGF4TzdXZ9.exe, 00000001.00000003.2724944059.0000000004058000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: OGF4TzdXZ9.exe, 00000001.00000003.2724944059.0000000004058000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: OGF4TzdXZ9.exe, 00000001.00000003.2724944059.0000000004058000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: OGF4TzdXZ9.exe, 00000001.00000003.2724944059.0000000004058000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: OGF4TzdXZ9.exe, 00000001.00000003.2724944059.0000000004058000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: OGF4TzdXZ9.exe, 00000001.00000003.2724944059.0000000004058000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 104.21.85.126:443 -> 192.168.2.5:49696 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.126:443 -> 192.168.2.5:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.126:443 -> 192.168.2.5:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.126:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.126:443 -> 192.168.2.5:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.126:443 -> 192.168.2.5:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.85.126:443 -> 192.168.2.5:49702 version: TLS 1.2

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe

Code function: 1_2_00FBD050 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

1_2_00FBD050

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe

Code function: 1_2_00FBD050 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

1_2_00FBD050

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe

Code function: 1_2_00FBD210 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

1_2_00FBD210

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_012FF4C0 NtProtectVirtualMemory,NtProtectVirtualMemory,		1_2_012FF4C0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_012FEF80 NtAllocateVirtualMemory,NtAllocateVirtualMemory,		1_2_012FEF80

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FCD0F0	1_2_00FCD0F0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FA0050	1_2_00FA0050
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FCB850	1_2_00FCB850
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F8D840	1_2_00F8D840
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F9003D	1_2_00F9003D
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FC800F	1_2_00FC800F
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FAB000	1_2_00FAB000
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F929E4	1_2_00F929E4
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F9A1DB	1_2_00F9A1DB
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FB41D1	1_2_00FB41D1
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F91AF8	1_2_00F91AF8
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FC7A7F	1_2_00FC7A7F
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F9527E	1_2_00F9527E
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F9ABFA	1_2_00F9ABFA
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FAEBD0	1_2_00FAEBD0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FC5350	1_2_00FC5350
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F8B310	1_2_00F8B310
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FCC4E0	1_2_00FCC4E0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FC1460	1_2_00FC1460
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FA6DD0	1_2_00FA6DD0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F90D88	1_2_00F90D88
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FCCD10	1_2_00FCCD10
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FC17E0	1_2_00FC17E0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FAE730	1_2_00FAE730
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FCC0E0	1_2_00FCC0E0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FA40E5	1_2_00FA40E5
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FCA8B0	1_2_00FCA8B0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FC90A0	1_2_00FC90A0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FAD890	1_2_00FAD890
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FC9860	1_2_00FC9860
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FAF855	1_2_00FAF855
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FA6030	1_2_00FA6030
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FB081C	1_2_00FB081C
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F87800	1_2_00F87800
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FC2800	1_2_00FC2800
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FC8801	1_2_00FC8801
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F9C9F3	1_2_00F9C9F3
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F9D9F5	1_2_00F9D9F5
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F9E9E0	1_2_00F9E9E0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FCA9E0	1_2_00FCA9E0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F8B9D0	1_2_00F8B9D0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FB615F	1_2_00FB615F
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F83950	1_2_00F83950
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F8C150	1_2_00F8C150
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F88950	1_2_00F88950
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FBF944	1_2_00FBF944
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F9B925	1_2_00F9B925
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FA2110	1_2_00FA2110
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FC8AEA	1_2_00FC8AEA
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F93AE3	1_2_00F93AE3
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FCD2D0	1_2_00FCD2D0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FC0AB0	1_2_00FC0AB0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F9A296	1_2_00F9A296
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FBCA80	1_2_00FBCA80
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FC3269	1_2_00FC3269
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F9A266	1_2_00F9A266
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F82250	1_2_00F82250
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F84252	1_2_00F84252
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F86A56	1_2_00F86A56
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FB8A38	1_2_00FB8A38
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FC6A20	1_2_00FC6A20
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FA3210	1_2_00FA3210
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F943F9	1_2_00F943F9
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FA3BE0	1_2_00FA3BE0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FAFBE0	1_2_00FAFBE0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F8D3D0	1_2_00F8D3D0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F9F3B0	1_2_00F9F3B0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F96390	1_2_00F96390
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FCAB80	1_2_00FCAB80
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F9B36A	1_2_00F9B36A
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FC6350	1_2_00FC6350
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F8E340	1_2_00F8E340
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FC0341	1_2_00FC0341
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FB9B25	1_2_00FB9B25
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FA1B10	1_2_00FA1B10
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FABB00	1_2_00FABB00
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FADCF0	1_2_00FADCF0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F884E0	1_2_00F884E0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FBF4CF	1_2_00FBF4CF
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FCACC0	1_2_00FCACC0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F89CB0	1_2_00F89CB0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FABCB2	1_2_00FABCB2
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FAD49C	1_2_00FAD49C
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FBAC50	1_2_00FBAC50
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FCAC30	1_2_00FCAC30
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FC9400	1_2_00FC9400
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F9D5F0	1_2_00F9D5F0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FBA5CD	1_2_00FBA5CD
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F8F5B0	1_2_00F8F5B0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F9C5A1	1_2_00F9C5A1
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FA5570	1_2_00FA5570
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F9CD5F	1_2_00F9CD5F
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F91556	1_2_00F91556
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FA4530	1_2_00FA4530
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FBCD10	1_2_00FBCD10
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FC9D10	1_2_00FC9D10
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FC0D10	1_2_00FC0D10
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FC2510	1_2_00FC2510
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FCBD00	1_2_00FCBD00
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FB66E0	1_2_00FB66E0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F88ED0	1_2_00F88ED0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F95EC2	1_2_00F95EC2
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F8A6B0	1_2_00F8A6B0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F906A0	1_2_00F906A0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F926A0	1_2_00F926A0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FA7EA0	1_2_00FA7EA0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FC2E80	1_2_00FC2E80
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FAFE84	1_2_00FAFE84
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FB1650	1_2_00FB1650
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F83E10	1_2_00F83E10
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F8BE10	1_2_00F8BE10
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F9CFD5	1_2_00F9CFD5
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F8C7C0	1_2_00F8C7C0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FA77C0	1_2_00FA77C0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F82FB0	1_2_00F82FB0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FAB7B0	1_2_00FAB7B0
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FBAF70	1_2_00FBAF70
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FBC760	1_2_00FBC760
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FC8F40	1_2_00FC8F40
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F92F10	1_2_00F92F10
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00FB0F08	1_2_00FB0F08
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_00F9DF0E	1_2_00F9DF0E

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: String function: 00F99520 appears 88 times
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: String function: 00F8ADF0 appears 40 times

Source: OGF4TzdXZ9.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe

Code function: 1_2_00FC17E0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

1_2_00FC17E0

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: OGF4TzdXZ9.exe, 00000001.00000003.2697652217.0000000003C5B000.00000004.00000800.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2696361100.0000000003E35000.00000004.00000800.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2710186053.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: OGF4TzdXZ9.exe	ReversingLabs: Detection: 66%
Source: OGF4TzdXZ9.exe	Virustotal: Detection: 59%

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe

File read: C:\Users\user\Desktop\OGF4TzdXZ9.exe

Jump to behavior

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: OGF4TzdXZ9.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: OGF4TzdXZ9.exe

Static file information: File size 10084352 > 1048576

Source: OGF4TzdXZ9.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x859c00

Source: OGF4TzdXZ9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: OGF4TzdXZ9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: OGF4TzdXZ9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: OGF4TzdXZ9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: OGF4TzdXZ9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: OGF4TzdXZ9.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: OGF4TzdXZ9.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: OGF4TzdXZ9.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\AdminC7\Workspace\560058365\Project\Debug\Project.pdb source: OGF4TzdXZ9.exe

Source: OGF4TzdXZ9.exe	Static PE information: section name: .textbss
Source: OGF4TzdXZ9.exe	Static PE information: section name: .msvcjmc
Source: OGF4TzdXZ9.exe	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe

Code function: 1_2_00FB834A push edx; iretd

1_2_00FB835A

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe TID: 4364

Thread sleep time: -210000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: OGF4TzdXZ9.exe, 00000001.00000002.2803998759.0000000001394000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2794903708.0000000001394000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2795639754.0000000001394000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2692022176.0000000001394000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2751786187.0000000001394000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2765053583.0000000001394000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: OGF4TzdXZ9.exe, 00000001.00000002.2803884926.000000000134C000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2794903708.000000000134C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: OGF4TzdXZ9.exe, 00000001.00000003.2712624523.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe

Code function: 1_2_00FC7FD0 LdrInitializeThunk,

1_2_00FC7FD0

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_012FEA50 mov eax, dword ptr fs:[00000030h]		1_2_012FEA50
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Code function: 1_2_012FF690 mov eax, dword ptr fs:[00000030h]		1_2_012FF690

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: OGF4TzdXZ9.exe, 00000001.00000003.2765367768.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2794903708.00000000013F3000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2765367768.00000000013F3000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2765053583.000000000137C000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2794903708.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000002.2803998759.0000000001394000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000002.2804244183.00000000013FC000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000002.2804100526.00000000013F3000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2794903708.0000000001394000.00000004.00000020.00020000.00000000.sdmp, OGF4TzdXZ9.exe, 00000001.00000003.2795639754.0000000001394000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: OGF4TzdXZ9.exe PID: 8172, type: MEMORYSTR
Source: Yara match	File source: 00000001.00000002.2805207987.0000000003E38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.OGF4TzdXZ9.exe.f80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OGF4TzdXZ9.exe.b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2802761052.0000000000D3F000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdliaogehgdbhbnmkklieghmmjkpigpa	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\OGF4TzdXZ9.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: OGF4TzdXZ9.exe PID: 8172, type: MEMORYSTR
Source: Yara match	File source: 00000001.00000002.2805207987.0000000003E38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.OGF4TzdXZ9.exe.f80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.OGF4TzdXZ9.exe.b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2802761052.0000000000D3F000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	2 OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	31 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OGF4TzdXZ9.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
OGF4TzdXZ9.exe