Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1434404
MD5: 9fb56dd5b5beb0b9c5d0102f22373c0b
SHA1: 5559dc162d09c11c1ed80aedf8e9fa86fd531e4c
SHA256: a65b290aa9ebfb82746cf75440c19956169f48d7dcbebafde6996c9b46039539
Tags: exe
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Detected VMProtect packer
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Machine Learning detection for dropped file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Entry point lies outside standard sections
File is packed with WinRar
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://incredibleextedwj.shop/api Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Avira: detection malicious, Label: HEUR/AGEN.1352800
Found malware configuration
Source: 4.2.podaw.exe.d60000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["demonstationfukewko.shop", "liabilitynighstjsko.shop", "alcojoldwograpciw.shop", "incredibleextedwj.shop", "shortsvelventysjo.shop", "shatterbreathepsw.shop", "tolerateilusidjukl.shop", "productivelookewr.shop", "incredibleextedwj.shop"], "Build id": "pGlMMn--333"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe ReversingLabs: Detection: 40%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 54%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000004.00000002.1775430111.0000000000D9A000.00000002.00000001.01000000.0000000B.sdmp String decryptor: demonstationfukewko.shop
Source: 00000004.00000002.1775430111.0000000000D9A000.00000002.00000001.01000000.0000000B.sdmp String decryptor: liabilitynighstjsko.shop
Source: 00000004.00000002.1775430111.0000000000D9A000.00000002.00000001.01000000.0000000B.sdmp String decryptor: alcojoldwograpciw.shop
Source: 00000004.00000002.1775430111.0000000000D9A000.00000002.00000001.01000000.0000000B.sdmp String decryptor: incredibleextedwj.shop
Source: 00000004.00000002.1775430111.0000000000D9A000.00000002.00000001.01000000.0000000B.sdmp String decryptor: shortsvelventysjo.shop
Source: 00000004.00000002.1775430111.0000000000D9A000.00000002.00000001.01000000.0000000B.sdmp String decryptor: shatterbreathepsw.shop
Source: 00000004.00000002.1775430111.0000000000D9A000.00000002.00000001.01000000.0000000B.sdmp String decryptor: tolerateilusidjukl.shop
Source: 00000004.00000002.1775430111.0000000000D9A000.00000002.00000001.01000000.0000000B.sdmp String decryptor: productivelookewr.shop
Source: 00000004.00000002.1775430111.0000000000D9A000.00000002.00000001.01000000.0000000B.sdmp String decryptor: incredibleextedwj.shop
Source: 00000004.00000002.1775430111.0000000000D9A000.00000002.00000001.01000000.0000000B.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000004.00000002.1775430111.0000000000D9A000.00000002.00000001.01000000.0000000B.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000004.00000002.1775430111.0000000000D9A000.00000002.00000001.01000000.0000000B.sdmp String decryptor: - Screen Resoluton:
Source: 00000004.00000002.1775430111.0000000000D9A000.00000002.00000001.01000000.0000000B.sdmp String decryptor: - Physical Installed Memory:
Source: 00000004.00000002.1775430111.0000000000D9A000.00000002.00000001.01000000.0000000B.sdmp String decryptor: Workgroup: -
Source: 00000004.00000002.1775430111.0000000000D9A000.00000002.00000001.01000000.0000000B.sdmp String decryptor: pGlMMn--333
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 172.67.218.63:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.218.63:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.218.63:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.218.63:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.218.63:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.218.63:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.218.63:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.218.63:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: file.exe, work.exe.0.dr
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000DBA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_000DBA94
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000ED420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_000ED420
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_009EBA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 3_2_009EBA94
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_009FD420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 3_2_009FD420

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2052216 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (incredibleextedwj .shop) 192.168.2.4:57592 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2052223 ET TROJAN Observed Lumma Stealer Related Domain (incredibleextedwj .shop in TLS SNI) 192.168.2.4:49730 -> 172.67.218.63:443
Source: Traffic Snort IDS: 2052223 ET TROJAN Observed Lumma Stealer Related Domain (incredibleextedwj .shop in TLS SNI) 192.168.2.4:49731 -> 172.67.218.63:443
Source: Traffic Snort IDS: 2052223 ET TROJAN Observed Lumma Stealer Related Domain (incredibleextedwj .shop in TLS SNI) 192.168.2.4:49732 -> 172.67.218.63:443
Source: Traffic Snort IDS: 2052223 ET TROJAN Observed Lumma Stealer Related Domain (incredibleextedwj .shop in TLS SNI) 192.168.2.4:49733 -> 172.67.218.63:443
Source: Traffic Snort IDS: 2052223 ET TROJAN Observed Lumma Stealer Related Domain (incredibleextedwj .shop in TLS SNI) 192.168.2.4:49734 -> 172.67.218.63:443
Source: Traffic Snort IDS: 2052223 ET TROJAN Observed Lumma Stealer Related Domain (incredibleextedwj .shop in TLS SNI) 192.168.2.4:49735 -> 172.67.218.63:443
Source: Traffic Snort IDS: 2052223 ET TROJAN Observed Lumma Stealer Related Domain (incredibleextedwj .shop in TLS SNI) 192.168.2.4:49736 -> 172.67.218.63:443
Source: Traffic Snort IDS: 2052223 ET TROJAN Observed Lumma Stealer Related Domain (incredibleextedwj .shop in TLS SNI) 192.168.2.4:49737 -> 172.67.218.63:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: demonstationfukewko.shop
Source: Malware configuration extractor URLs: liabilitynighstjsko.shop
Source: Malware configuration extractor URLs: alcojoldwograpciw.shop
Source: Malware configuration extractor URLs: incredibleextedwj.shop
Source: Malware configuration extractor URLs: shortsvelventysjo.shop
Source: Malware configuration extractor URLs: shatterbreathepsw.shop
Source: Malware configuration extractor URLs: tolerateilusidjukl.shop
Source: Malware configuration extractor URLs: productivelookewr.shop
Source: Malware configuration extractor URLs: incredibleextedwj.shop
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: incredibleextedwj.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: incredibleextedwj.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18161Host: incredibleextedwj.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8782Host: incredibleextedwj.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20435Host: incredibleextedwj.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5432Host: incredibleextedwj.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1405Host: incredibleextedwj.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 565268Host: incredibleextedwj.shop
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: incredibleextedwj.shop
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: incredibleextedwj.shop
Source: podaw.exe, 00000004.00000003.1701701592.000000000423D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: podaw.exe, 00000004.00000003.1701701592.000000000423D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: podaw.exe, 00000004.00000003.1701701592.000000000423D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: podaw.exe, 00000004.00000003.1701701592.000000000423D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: podaw.exe, 00000004.00000003.1701701592.000000000423D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: podaw.exe, 00000004.00000003.1701701592.000000000423D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: podaw.exe, 00000004.00000003.1701701592.000000000423D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: podaw.exe, 00000004.00000003.1701701592.000000000423D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: podaw.exe, 00000004.00000003.1701701592.000000000423D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: podaw.exe, 00000004.00000003.1701701592.000000000423D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: podaw.exe, 00000004.00000003.1701701592.000000000423D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: podaw.exe, 00000004.00000003.1684055778.000000000424A000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1684138236.000000000424A000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1683658995.000000000425F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: podaw.exe, 00000004.00000003.1702857048.0000000004314000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1702773518.0000000004312000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: podaw.exe, 00000004.00000003.1702773518.0000000004312000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: podaw.exe, 00000004.00000003.1684055778.000000000424A000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1684138236.000000000424A000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1683658995.000000000425F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: podaw.exe, 00000004.00000003.1684055778.000000000424A000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1684138236.000000000424A000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1683658995.000000000425F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: podaw.exe, 00000004.00000003.1684055778.000000000424A000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1684138236.000000000424A000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1683658995.000000000425F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: podaw.exe, 00000004.00000003.1702857048.0000000004314000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1702773518.0000000004312000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: podaw.exe, 00000004.00000003.1702773518.0000000004312000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: podaw.exe, 00000004.00000003.1684055778.000000000424A000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1684138236.000000000424A000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1683658995.000000000425F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: podaw.exe, 00000004.00000003.1684055778.000000000424A000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1684138236.000000000424A000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1683658995.000000000425F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: podaw.exe, 00000004.00000003.1684055778.000000000424A000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1684138236.000000000424A000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1683658995.000000000425F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: podaw.exe, 00000004.00000003.1702773518.0000000004312000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: podaw.exe, 00000004.00000002.1776602257.0000000001AE2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://incredibleextedwj.shop/
Source: podaw.exe, 00000004.00000003.1664443891.0000000001AFD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://incredibleextedwj.shop/G
Source: podaw.exe, 00000004.00000003.1774460578.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1774228067.0000000001ADD000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000004.00000002.1776602257.0000000001AE2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://incredibleextedwj.shop/R
Source: podaw.exe, 00000004.00000003.1774460578.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1774228067.0000000001ADD000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000004.00000002.1776602257.0000000001AE2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://incredibleextedwj.shop/Y
Source: podaw.exe, 00000004.00000003.1774823053.0000000001AB7000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1774228067.0000000001AB7000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1774178990.0000000001B47000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000004.00000002.1776672956.0000000001B49000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000004.00000002.1776513744.0000000001AB7000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1664443891.0000000001AFD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://incredibleextedwj.shop/api
Source: podaw.exe, 00000004.00000003.1664443891.0000000001AFD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://incredibleextedwj.shop/apiB
Source: podaw.exe, 00000004.00000003.1664443891.0000000001AFD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://incredibleextedwj.shop/apil
Source: podaw.exe, 00000004.00000003.1774968138.0000000004319000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000002.1777074043.0000000004319000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1774208148.0000000004318000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1746844834.0000000004312000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incredibleextedwj.shop/apin)P
Source: podaw.exe, 00000004.00000003.1664443891.0000000001AFD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://incredibleextedwj.shop/b
Source: podaw.exe, 00000004.00000003.1664443891.0000000001AFD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://incredibleextedwj.shop/i
Source: podaw.exe, 00000004.00000003.1683023154.000000000428E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: podaw.exe, 00000004.00000003.1702522997.0000000004359000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: podaw.exe, 00000004.00000003.1702522997.0000000004359000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: podaw.exe, 00000004.00000003.1683222754.0000000004285000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1683023154.000000000428C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: podaw.exe, 00000004.00000003.1683222754.0000000004260000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: podaw.exe, 00000004.00000003.1683222754.0000000004285000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1683023154.000000000428C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: podaw.exe, 00000004.00000003.1683222754.0000000004260000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: podaw.exe, 00000004.00000003.1702773518.0000000004312000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: podaw.exe, 00000004.00000003.1684055778.000000000424A000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1684138236.000000000424A000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1683658995.000000000425F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: podaw.exe, 00000004.00000003.1702773518.0000000004312000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: podaw.exe, 00000004.00000003.1684055778.000000000424A000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1684138236.000000000424A000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1683658995.000000000425F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: podaw.exe, 00000004.00000003.1702522997.0000000004359000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: podaw.exe, 00000004.00000003.1702522997.0000000004359000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: podaw.exe, 00000004.00000003.1702522997.0000000004359000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: podaw.exe, 00000004.00000003.1702522997.0000000004359000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: podaw.exe, 00000004.00000003.1702522997.0000000004359000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown HTTPS traffic detected: 172.67.218.63:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.218.63:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.218.63:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.218.63:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.218.63:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.218.63:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.218.63:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.218.63:443 -> 192.168.2.4:49737 version: TLS 1.2

System Summary
barindex
Detected VMProtect packer
Source: podaw.exe.3.dr Static PE information: .vmp0 and .vmp1 section names
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D7AAF: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 0_2_000D7AAF
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D92C6 0_2_000D92C6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000E5011 0_2_000E5011
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000E8253 0_2_000E8253
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000E5282 0_2_000E5282
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000F62A8 0_2_000F62A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000E02F7 0_2_000E02F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000E13FD 0_2_000E13FD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000E742E 0_2_000E742E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000F64D7 0_2_000F64D7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000E55B0 0_2_000E55B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000FE600 0_2_000FE600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000E07A7 0_2_000E07A7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000DD833 0_2_000DD833
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000E88AF 0_2_000E88AF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D395A 0_2_000D395A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D4A8E 0_2_000D4A8E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000FEAAE 0_2_000FEAAE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00102BB4 0_2_00102BB4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000DFCCC 0_2_000DFCCC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000E7DDC 0_2_000E7DDC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D2EB6 0_2_000D2EB6
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_009E92C6 3_2_009E92C6
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_009F5011 3_2_009F5011
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_00A062A8 3_2_00A062A8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_009F5282 3_2_009F5282
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_009F02F7 3_2_009F02F7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_009F8253 3_2_009F8253
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_009F13FD 3_2_009F13FD
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_00A064D7 3_2_00A064D7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_009F742E 3_2_009F742E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_009F55B0 3_2_009F55B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_00A0E600 3_2_00A0E600
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_009F07A7 3_2_009F07A7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_009F88AF 3_2_009F88AF
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_009ED833 3_2_009ED833
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_009E395A 3_2_009E395A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_00A0EAAE 3_2_00A0EAAE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_009E4A8E 3_2_009E4A8E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_00A12BB4 3_2_00A12BB4
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_009EFCCC 3_2_009EFCCC
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_009F7DDC 3_2_009F7DDC
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_009E2EB6 3_2_009E2EB6
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: String function: 009FFFD0 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: String function: 009FFEFC appears 42 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: String function: 00A007A0 appears 31 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 000F07A0 appears 31 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 000EFEFC appears 42 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 000EFFD0 appears 56 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/3@1/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D7727 GetLastError,FormatMessageW, 0_2_000D7727
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000EB6D2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_000EB6D2
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\RarSFX0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "
Source: C:\Users\user\Desktop\file.exe Command line argument: sfxname 0_2_000EF05C
Source: C:\Users\user\Desktop\file.exe Command line argument: sfxstime 0_2_000EF05C
Source: C:\Users\user\Desktop\file.exe Command line argument: STARTDLG 0_2_000EF05C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Command line argument: sfxname 3_2_009FF05C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Command line argument: sfxstime 3_2_009FF05C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Command line argument: STARTDLG 3_2_009FF05C
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: podaw.exe, 00000004.00000003.1683493834.0000000004264000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 54%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdD
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdD Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: file.exe Static file information: File size 6401863 > 1048576
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: file.exe, work.exe.0.dr
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp1
File is packed with WinRar
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_5358750 Jump to behavior
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .didat
Source: work.exe.0.dr Static PE information: section name: .didat
Source: podaw.exe.3.dr Static PE information: section name: .vmp0
Source: podaw.exe.3.dr Static PE information: section name: .vmp1
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000F07F0 push ecx; ret 0_2_000F0803
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000EFEFC push eax; ret 0_2_000EFF1A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_00A007F0 push ecx; ret 3_2_00A00803
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_009FFEFC push eax; ret 3_2_009FFF1A
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe File created: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Memory written: PID: 7552 base: 17E0005 value: E9 8B 2F 72 75 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Memory written: PID: 7552 base: 76F02F90 value: E9 7A D0 8D 8A Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: podaw.exe, 00000004.00000002.1775460209.0000000000DA8000.00000020.00000001.01000000.0000000B.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe RDTSC instruction interceptor: First address: FBC786 second address: E6EDCE instructions: 0x00000000 rdtsc 0x00000002 ror cl, 1 0x00000004 rcl ax, 0059h 0x00000008 btc dx, FFB5h 0x0000000d xor cl, 00000069h 0x00000010 bt eax, 54h 0x00000014 mov dx, sp 0x00000017 add cl, FFFFFFE7h 0x0000001a dec dx 0x0000001d neg cl 0x0000001f mov eax, ebp 0x00000021 cwd 0x00000023 cmp dx, ax 0x00000026 xor bl, cl 0x00000028 btc dx, FFD8h 0x0000002d mov edx, dword ptr [esp+ecx] 0x00000030 lea edi, dword ptr [edi-00000004h] 0x00000036 test sp, 092Dh 0x0000003b mov dword ptr [edi], edx 0x0000003d sbb eax, 291F2F4Eh 0x00000042 bt ax, dx 0x00000046 lea ebp, dword ptr [ebp-00000004h] 0x0000004c mov eax, dword ptr [ebp+00h] 0x00000050 jmp 00007F8CDD0599AFh 0x00000055 xor eax, ebx 0x00000057 test edi, edi 0x00000059 cmp ax, sp 0x0000005c test sp, 5BA8h 0x00000061 xor eax, 0F673FF6h 0x00000066 lea eax, dword ptr [eax-55DD4DB9h] 0x0000006c jmp 00007F8CDD4C8592h 0x00000071 bswap eax 0x00000073 xor eax, 3D233675h 0x00000078 xor ebx, eax 0x0000007a add esi, eax 0x0000007c jmp 00007F8CDD12F94Dh 0x00000081 jmp 00007F8CDD3890EDh 0x00000086 lea edx, dword ptr [esp+60h] 0x0000008a cmp edi, edx 0x0000008c jmp 00007F8CDD1EC46Fh 0x00000091 ja 00007F8CDD21BAA3h 0x00000097 push esi 0x00000098 ret 0x00000099 sub ebp, 00000001h 0x0000009f clc 0x000000a0 rdtsc
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe RDTSC instruction interceptor: First address: E88C3E second address: E88C48 instructions: 0x00000000 rdtsc 0x00000002 shl ebp, FFFFFF8Fh 0x00000005 popfd 0x00000006 lahf 0x00000007 xchg bp, di 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe RDTSC instruction interceptor: First address: FBAE10 second address: FBAE16 instructions: 0x00000000 rdtsc 0x00000002 pop ecx 0x00000003 adc dx, dx 0x00000006 rdtsc
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\file.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe TID: 7592 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe TID: 7592 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000DBA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_000DBA94
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000ED420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_000ED420
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_009EBA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 3_2_009EBA94
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_009FD420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 3_2_009FD420
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000EF82F VirtualQuery,GetSystemInfo, 0_2_000EF82F
Source: work.exe, 00000003.00000003.1777370545.0000000002BB4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: work.exe, 00000003.00000003.1777370545.0000000002BB4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y|
Source: podaw.exe, 00000004.00000003.1774823053.0000000001A9E000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000004.00000002.1776497465.0000000001AA1000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1774460578.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1664488167.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1774228067.0000000001ADD000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000004.00000002.1776602257.0000000001AE2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: podaw.exe, 00000004.00000003.1774460578.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1664488167.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1774228067.0000000001ADD000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000004.00000002.1776602257.0000000001AE2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000F0A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000F0A0A
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000F91B0 mov eax, dword ptr fs:[00000030h] 0_2_000F91B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_00A091B0 mov eax, dword ptr fs:[00000030h] 3_2_00A091B0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000FD1F0 GetProcessHeap, 0_2_000FD1F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000F0A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000F0A0A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000F0B9D SetUnhandledExceptionFilter, 0_2_000F0B9D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000F0D8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_000F0D8A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000F4FEF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000F4FEF
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_00A00A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00A00A0A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_00A00B9D SetUnhandledExceptionFilter, 3_2_00A00B9D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_00A00D8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00A00D8A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_00A04FEF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00A04FEF

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: podaw.exe, 00000004.00000002.1775430111.0000000000D9A000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: demonstationfukewko.shop
Source: podaw.exe, 00000004.00000002.1775430111.0000000000D9A000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: liabilitynighstjsko.shop
Source: podaw.exe, 00000004.00000002.1775430111.0000000000D9A000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: alcojoldwograpciw.shop
Source: podaw.exe, 00000004.00000002.1775430111.0000000000D9A000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: incredibleextedwj.shop
Source: podaw.exe, 00000004.00000002.1775430111.0000000000D9A000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: shortsvelventysjo.shop
Source: podaw.exe, 00000004.00000002.1775430111.0000000000D9A000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: shatterbreathepsw.shop
Source: podaw.exe, 00000004.00000002.1775430111.0000000000D9A000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: tolerateilusidjukl.shop
Source: podaw.exe, 00000004.00000002.1775430111.0000000000D9A000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: productivelookewr.shop
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdD Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000EBEFF SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateDirectoryW,LocalFree, 0_2_000EBEFF
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000F0826 cpuid 0_2_000F0826
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_000EC093
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: GetLocaleInfoW,GetNumberFormatW, 3_2_009FC093
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000EF05C GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle, 0_2_000EF05C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000DC365 GetVersionExW, 0_2_000DC365
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: podaw.exe, 00000004.00000003.1774823053.0000000001A9E000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000004.00000002.1776497465.0000000001AA1000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000004.00000002.1776513744.0000000001ACB000.00000004.00000020.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1774142606.000000000431D000.00000004.00000800.00020000.00000000.sdmp, podaw.exe, 00000004.00000003.1746844834.0000000004312000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: podaw.exe PID: 7552, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: podaw.exe, 00000004.00000003.1774460578.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum
Source: podaw.exe, 00000004.00000002.1776685965.0000000001B52000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: podaw.exe, 00000004.00000003.1774460578.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: podaw.exe, 00000004.00000003.1774460578.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: podaw.exe, 00000004.00000002.1776685965.0000000001B52000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Exodus
Source: podaw.exe, 00000004.00000003.1774460578.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Ethereum
Source: podaw.exe, 00000004.00000003.1774159077.0000000001B4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: podaw.exe, 00000004.00000002.1776685965.0000000001B52000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\podaw.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: podaw.exe PID: 7552, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: podaw.exe PID: 7552, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1434404 Sample: file.exe Startdate: 01/05/2024 Architecture: WINDOWS Score: 100 28 incredibleextedwj.shop 2->28 32 Snort IDS alert for network traffic 2->32 34 Found malware configuration 2->34 36 Antivirus detection for URL or domain 2->36 38 5 other signatures 2->38 9 file.exe 14 2->9         started        signatures3 process4 file5 24 C:\Users\user\AppData\Local\Temp\...\work.exe, PE32 9->24 dropped 12 cmd.exe 1 9->12         started        process6 process7 14 work.exe 13 12->14         started        18 conhost.exe 12->18         started        file8 26 C:\Users\user\AppData\Local\...\podaw.exe, PE32 14->26 dropped 48 Multi AV Scanner detection for dropped file 14->48 20 podaw.exe 14->20         started        signatures9 process10 dnsIp11 30 incredibleextedwj.shop 172.67.218.63, 443, 49730, 49731 CLOUDFLARENETUS United States 20->30 40 Antivirus detection for dropped file 20->40 42 Multi AV Scanner detection for dropped file 20->42 44 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->44 46 8 other signatures 20->46 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.218.63
 incredibleextedwj.shop United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
incredibleextedwj.shop 172.67.218.63 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
incredibleextedwj.shop true
  • Avira URL Cloud: safe
 unknown
shortsvelventysjo.shop true
  • Avira URL Cloud: safe
 unknown
tolerateilusidjukl.shop true
  • Avira URL Cloud: safe
 unknown
liabilitynighstjsko.shop true
  • Avira URL Cloud: safe
 unknown
shatterbreathepsw.shop true
  • Avira URL Cloud: safe
 unknown
demonstationfukewko.shop true
  • Avira URL Cloud: safe
 unknown
productivelookewr.shop true
  • Avira URL Cloud: safe
 unknown
https://incredibleextedwj.shop/api true
  • Avira URL Cloud: malware
 unknown
alcojoldwograpciw.shop true
  • Avira URL Cloud: safe
 unknown