Windows Analysis Report
tMO4FVIc9l.exe

Overview

General Information

Sample name: tMO4FVIc9l.exe
renamed because original name is a hash value
Original sample name: 6bc7f3c7927f5fc13a4410f1770c2dfe.exe
Analysis ID: 1446871
MD5: 6bc7f3c7927f5fc13a4410f1770c2dfe
SHA1: 4fd9306a40681e1f881168644f991c30824b02cc
SHA256: c6ec11a31d4c28480f4ee3cc744792e12d7919cfffff5b7ca86649c904b7abda
Tags: exeRiseProStealer
Infos:

Detection

LummaC, RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected LummaC Stealer
Yara detected RisePro Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://5.42.65.116/lumma2305.exej Avira URL Cloud: Label: phishing
Source: http://5.42.65.116/lumma2305.exe~ Avira URL Cloud: Label: phishing
Source: http://5.42.65.116/lumma2305.exeMeleonCH Avira URL Cloud: Label: phishing
Source: http://5.42.65.116/lumma2305.exeaTTm Avira URL Cloud: Label: phishing
Source: http://5.42.65.116/lumma2305.exeEWPz Avira URL Cloud: Label: phishing
Source: http://5.42.65.116/lumma2305.exe Avira URL Cloud: Label: phishing
Source: http://5.42.65.116/lumma2305.exeto.de Avira URL Cloud: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Avira: detection malicious, Label: HEUR/AGEN.1317026
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Avira: detection malicious, Label: HEUR/AGEN.1317026
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Avira: detection malicious, Label: HEUR/AGEN.1317026
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\lumma2305[1].exe Avira: detection malicious, Label: HEUR/AGEN.1317026
Found malware configuration
Source: 9.2.MSIUpdaterV202.exe.bf0000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["roomabolishsnifftwk.shop", "civilianurinedtsraov.shop", "stalfbaclcalorieeis.shop", "employhabragaomlsp.shop", "femininiespywageg.shop", "averageaattractiionsl.shop", "buttockdecarderwiso.shop", "museumtespaceorsp.shop", "employhabragaomlsp.shop"], "Build id": "H8NgCl--"}
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\lumma2305[1].exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe ReversingLabs: Detection: 44%
Multi AV Scanner detection for submitted file
Source: tMO4FVIc9l.exe ReversingLabs: Detection: 42%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\lumma2305[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: tMO4FVIc9l.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp String decryptor: roomabolishsnifftwk.shop
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp String decryptor: civilianurinedtsraov.shop
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp String decryptor: stalfbaclcalorieeis.shop
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp String decryptor: employhabragaomlsp.shop
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp String decryptor: femininiespywageg.shop
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp String decryptor: averageaattractiionsl.shop
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp String decryptor: buttockdecarderwiso.shop
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp String decryptor: museumtespaceorsp.shop
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp String decryptor: employhabragaomlsp.shop
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp String decryptor: - Screen Resoluton:
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp String decryptor: - Physical Installed Memory:
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp String decryptor: Workgroup: -
Source: 00000009.00000002.2188300072.0000000000C17000.00000004.00000001.01000000.00000007.sdmp String decryptor: H8NgCl--
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_00414F19 CryptUnprotectData, 12_2_00414F19
Uses 32bit PE files
Source: tMO4FVIc9l.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49757 version: TLS 1.2
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: 7_2_004F4253 FindFirstFileExW, 7_2_004F4253
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Code function: 9_2_00C04253 FindFirstFileExW, 9_2_00C04253
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: 17_2_00EA4253 FindFirstFileExW, 17_2_00EA4253
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: 20_2_00EA4253 FindFirstFileExW, 20_2_00EA4253

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.6:49710 -> 5.42.65.116:50500
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 5.42.65.116:50500 -> 192.168.2.6:49710
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 5.42.65.116:50500 -> 192.168.2.6:49710
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49710 -> 5.42.65.116:50500
Source: Traffic Snort IDS: 2052761 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (employhabragaomlsp .shop) 192.168.2.6:65237 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49715 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49716 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49717 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49718 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49719 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49720 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49721 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49722 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49723 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49724 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49726 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49729 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49732 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49734 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49736 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49737 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49738 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49739 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49740 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49741 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49742 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49743 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49744 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49745 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49746 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49747 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49748 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49750 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49751 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49752 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49753 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49754 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49755 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49756 -> 188.114.96.3:443
Source: Traffic Snort IDS: 2052775 ET TROJAN Observed Lumma Stealer Related Domain (employhabragaomlsp .shop in TLS SNI) 192.168.2.6:49757 -> 188.114.96.3:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: roomabolishsnifftwk.shop
Source: Malware configuration extractor URLs: civilianurinedtsraov.shop
Source: Malware configuration extractor URLs: stalfbaclcalorieeis.shop
Source: Malware configuration extractor URLs: employhabragaomlsp.shop
Source: Malware configuration extractor URLs: femininiespywageg.shop
Source: Malware configuration extractor URLs: averageaattractiionsl.shop
Source: Malware configuration extractor URLs: buttockdecarderwiso.shop
Source: Malware configuration extractor URLs: museumtespaceorsp.shop
Source: Malware configuration extractor URLs: employhabragaomlsp.shop
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49710 -> 5.42.65.116:50500
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.175 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.175 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12854Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12854Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12854Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15100Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19958Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15100Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19958Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5429Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1237Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5429Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1237Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 566526Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12854Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 566526Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15100Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19958Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5429Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1234Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12854Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15100Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 572276Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19958Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 5429Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1234Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 572276Host: employhabragaomlsp.shop
Source: global traffic HTTP traffic detected: HEAD /lumma2305.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.65.116Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /lumma2305.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.65.116Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.65.116
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.175 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.175 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /lumma2305.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.65.116Cache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: db-ip.com
Source: global traffic DNS traffic detected: DNS query: employhabragaomlsp.shop
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: employhabragaomlsp.shop
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.0000000001548000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000002.2259208520.0000000006162000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.65.116/lumma2305.exe
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.0000000001548000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.65.116/lumma2305.exeEWPz
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.0000000001548000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.65.116/lumma2305.exeMeleonCH
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.0000000001548000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.65.116/lumma2305.exeaTTm
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.0000000001548000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.65.116/lumma2305.exej
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.65.116/lumma2305.exeto.de
Source: tMO4FVIc9l.exe, 00000000.00000002.2259208520.0000000006162000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.65.116/lumma2305.exe~
Source: Amcache.hve.15.dr String found in binary or memory: http://upx.sf.net
Source: tMO4FVIc9l.exe, 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.175
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.175
Source: tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 0000000B.00000002.2352554407.00000000012E3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2352713016.0000000001346000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2244993517.000000000118F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2456519007.00000000014F3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000019.00000002.2498499806.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000019.00000002.2498499806.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://employhabragaomlsp.shop/
Source: RegAsm.exe, 00000019.00000002.2498499806.0000000000B98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://employhabragaomlsp.shop/8
Source: RegAsm.exe, 00000019.00000002.2498499806.0000000000B98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://employhabragaomlsp.shop/aibcnf
Source: RegAsm.exe, 00000008.00000002.2350449893.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2352554407.00000000012E3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2353071644.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2352713016.000000000135E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2456254141.00000000014D3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2456519007.0000000001505000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2456254141.000000000147C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000019.00000002.2499274804.000000000309D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000019.00000002.2498499806.0000000000C36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://employhabragaomlsp.shop/api
Source: RegAsm.exe, 00000019.00000002.2499274804.000000000309D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://employhabragaomlsp.shop/api(
Source: RegAsm.exe, 0000000C.00000002.2244993517.000000000114A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://employhabragaomlsp.shop/apiO
Source: RegAsm.exe, 00000015.00000002.2456519007.0000000001505000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://employhabragaomlsp.shop/apiP
Source: RegAsm.exe, 00000015.00000002.2456254141.000000000147C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://employhabragaomlsp.shop/apiY
Source: RegAsm.exe, 0000000B.00000002.2352554407.00000000012E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://employhabragaomlsp.shop/apih
Source: RegAsm.exe, 00000019.00000002.2498499806.0000000000B98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://employhabragaomlsp.shop/i
Source: RegAsm.exe, 0000000B.00000002.2352554407.00000000012E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://employhabragaomlsp.shop/l
Source: RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2352554407.00000000012E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://employhabragaomlsp.shop/pi
Source: RegAsm.exe, 00000015.00000002.2456254141.00000000014D3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000019.00000002.2498499806.0000000000B98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://employhabragaomlsp.shop/s
Source: RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2352554407.00000000012E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://employhabragaomlsp.shop:443/api
Source: RegAsm.exe, 0000000C.00000002.2244993517.000000000118F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://employhabragaomlsp.shop:443/apihrome
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Y
Source: tMO4FVIc9l.exe, 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.175
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.175F
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.000000000146E000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000002.2259208520.000000000611B000.00000004.00000020.00020000.00000000.sdmp, KBHGMwjOItm_DLNJJFRnML7.zip.0.dr String found in binary or memory: https://t.me/RiseProSUPPORT
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2154211616.00000000061A6000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr String found in binary or memory: https://t.me/risepro_bot
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botD
Source: tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: tMO4FVIc9l.exe, 00000000.00000003.2146231923.0000000006185000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144355796.0000000006156000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144919688.0000000006166000.00000004.00000020.00020000.00000000.sdmp, dP6LfDcELUJXWeb Data.0.dr, RzvNVqGUEpJhWeb Data.0.dr, S4ECHZA8NR3oWeb Data.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org#
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49757 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_0042D5A0 GetWindowLongW,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 12_2_0042D5A0
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_0042D5A0 GetWindowLongW,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 12_2_0042D5A0
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_0042D760 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 12_2_0042D760
Detected potential crypto function
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_00878BB0 0_2_00878BB0
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_0091AD00 0_2_0091AD00
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_008BF0D0 0_2_008BF0D0
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_0095F550 0_2_0095F550
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_0082B8E0 0_2_0082B8E0
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_008A1C10 0_2_008A1C10
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_00965DE0 0_2_00965DE0
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_008C4320 0_2_008C4320
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_0086036F 0_2_0086036F
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_008A45E0 0_2_008A45E0
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_009686C0 0_2_009686C0
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_008747BF 0_2_008747BF
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_0085A928 0_2_0085A928
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_0085C960 0_2_0085C960
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_0090EC40 0_2_0090EC40
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_00A52D3B 0_2_00A52D3B
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_00966D20 0_2_00966D20
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_00954D40 0_2_00954D40
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_00878E30 0_2_00878E30
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_008571A0 0_2_008571A0
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_0084F580 0_2_0084F580
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_008C3610 0_2_008C3610
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_00967760 0_2_00967760
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_00961F00 0_2_00961F00
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: 7_2_004F68B8 7_2_004F68B8
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: 7_2_004F3320 7_2_004F3320
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Code function: 9_2_00C068B8 9_2_00C068B8
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Code function: 9_2_00C03320 9_2_00C03320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_00437445 12_2_00437445
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_00426450 12_2_00426450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_00401000 12_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_00406170 12_2_00406170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_004201F0 12_2_004201F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_00403180 12_2_00403180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_004322A0 12_2_004322A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_0042434B 12_2_0042434B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_00420330 12_2_00420330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_00419464 12_2_00419464
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_0041648C 12_2_0041648C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_0040F500 12_2_0040F500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_00404650 12_2_00404650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_00423630 12_2_00423630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_004016C0 12_2_004016C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_0041F6E0 12_2_0041F6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_004087D0 12_2_004087D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_0041B7BE 12_2_0041B7BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_00407970 12_2_00407970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_00439BB0 12_2_00439BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_00403CD0 12_2_00403CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_00405CA0 12_2_00405CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_00434D40 12_2_00434D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_0041EE00 12_2_0041EE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_0041FE00 12_2_0041FE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_00439ED0 12_2_00439ED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_00404F90 12_2_00404F90
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: 17_2_00EA68B8 17_2_00EA68B8
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: 17_2_00EA3320 17_2_00EA3320
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: 20_2_00EA68B8 20_2_00EA68B8
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: 20_2_00EA3320 20_2_00EA3320
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe 2A7B010296F77BC811CDB2802DC11B7DA7E486A3C7CDBB6B2783B12B828BD57D
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe 2A7B010296F77BC811CDB2802DC11B7DA7E486A3C7CDBB6B2783B12B828BD57D
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\lumma2305[1].exe 2A7B010296F77BC811CDB2802DC11B7DA7E486A3C7CDBB6B2783B12B828BD57D
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe 2A7B010296F77BC811CDB2802DC11B7DA7E486A3C7CDBB6B2783B12B828BD57D
Found potential string decryption / allocating functions
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Code function: String function: 00BF4F90 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: String function: 004E4F90 appears 48 times
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: String function: 00E9A6BE appears 42 times
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: String function: 00E94F90 appears 96 times
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: String function: 00E9F073 appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00408490 appears 57 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00408C20 appears 153 times
One or more processes crash
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 2688
Uses 32bit PE files
Source: tMO4FVIc9l.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: lumma2305[1].exe.0.dr Static PE information: Section: .data ZLIB complexity 0.9894404217479674
Source: xq6J5KlULX6jlR3rET0T.exe.0.dr Static PE information: Section: .data ZLIB complexity 0.9894404217479674
Source: AdobeUpdaterV202.exe.0.dr Static PE information: Section: .data ZLIB complexity 0.9894404217479674
Source: MSIUpdaterV202.exe.0.dr Static PE information: Section: .data ZLIB complexity 0.9894404217479674
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@26/32@3/4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_0042D2F0 CoCreateInstance, 12_2_0042D2F0
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\signons.sqlite Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3136:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3108
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File created: C:\Users\user\AppData\Local\Temp\trixyDxygJpUhAdhw Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: tMO4FVIc9l.exe, 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: tMO4FVIc9l.exe, 00000000.00000002.2257375774.000000000097D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: tMO4FVIc9l.exe, 00000000.00000003.2143660806.0000000006115000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2144177194.0000000006125000.00000004.00000020.00020000.00000000.sdmp, rg706_nABxIULogin Data For Account.0.dr, Oh9vbPMur9FiLogin Data.0.dr, D7xhTl4YAcm4Login Data.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: tMO4FVIc9l.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File read: C:\Users\user\Desktop\tMO4FVIc9l.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\tMO4FVIc9l.exe "C:\Users\user\Desktop\tMO4FVIc9l.exe"
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Process created: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe "C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe"
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: unknown Process created: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe
Source: unknown Process created: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 2688
Source: unknown Process created: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe "C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe "C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe"
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe "C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe "C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe"
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Process created: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe "C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: samcli.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: userenv.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: mpr.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: netutils.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: sfc.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: samcli.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: userenv.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: mpr.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: netutils.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: sfc.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: acgenral.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: samcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msacm32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dwmapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winmmbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winmmbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: acgenral.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: samcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msacm32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dwmapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winmmbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winmmbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: tMO4FVIc9l.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: tMO4FVIc9l.exe Static file information: File size 3134976 > 1048576
Source: tMO4FVIc9l.exe Static PE information: Raw size of .vmp is bigger than: 0x100000 < 0x2f9000
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp
PE file contains sections with non-standard names
Source: tMO4FVIc9l.exe Static PE information: section name: .vmp
Source: tMO4FVIc9l.exe Static PE information: section name: .vmp
Source: tMO4FVIc9l.exe Static PE information: section name: .vmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_00A949ED push ebp; ret 0_2_00A94A32
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_009D9EAB push ebx; iretd 0_2_009D9EDE
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_00853F59 push ecx; ret 0_2_00853F6C
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: 7_2_004E4721 push ecx; ret 7_2_004E4734
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Code function: 9_2_00BF4721 push ecx; ret 9_2_00BF4734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_0043C609 push ecx; ret 12_2_0043C613
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_0043DA48 push ecx; retf 12_2_0043DA4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_0043CEA2 push cs; ret 12_2_0043CEA3
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: 17_2_00E94721 push ecx; ret 17_2_00E94734
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: 20_2_00E94721 push ecx; ret 20_2_00E94734
Drops PE files
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\lumma2305[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File created: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Jump to dropped file
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File created: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Jump to dropped file
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File created: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File created: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7 Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe System information queried: FirmwareTableInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe System information queried: FirmwareTableInformation
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_00A6400F rdtsc 0_2_00A6400F
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5048 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6336 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5484 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5936 Thread sleep time: -60000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6504 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2664 Thread sleep time: -60000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2488 Thread sleep time: -30000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: 7_2_004F4253 FindFirstFileExW, 7_2_004F4253
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Code function: 9_2_00C04253 FindFirstFileExW, 9_2_00C04253
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: 17_2_00EA4253 FindFirstFileExW, 17_2_00EA4253
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: 20_2_00EA4253 FindFirstFileExW, 20_2_00EA4253
Source: Amcache.hve.15.dr Binary or memory string: VMware
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: discord.comVMware20,11696487552f
Source: RegAsm.exe, 00000015.00000002.2456254141.000000000144A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: Amcache.hve.15.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2350449893.000000000097A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2352554407.00000000012E3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.2352554407.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2244993517.000000000118F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2244993517.000000000114A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2456254141.00000000014A8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000019.00000002.2498499806.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: global block list test formVMware20,11696487552
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: tasks.office.comVMware20,11696487552o
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.15.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: AMC password management pageVMware20,11696487552
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: dev.azure.comVMware20,11696487552j
Source: tMO4FVIc9l.exe, 00000000.00000002.2259208520.0000000006130000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}9+DtRuOIzpuPOHMWFCH4SYrrhIIF+VmRVSkbN671zwLeLYomOj6BxuG4WR0H8+Rivo4a5BAWT1bV5dHpshkYrOka+p8vn3VPA9qlgL8Tk27kWvHNRJXPl7UkYvCoDMNFU/36++C/jG6pgvhw/J6+PCmsW1ynBiLNzuR9AXJKT6RtkzVJ5JXS6W4LXIi22NeLtP7Ikk+0n7QDGjovSf2FNmrxFItlk5hpx/2HxYs7bUXx8wlhYhOe6vmYTYhwDGkC95TfsGbkuhMXPDu24Tk7yZ0vkv8IwoJIe02kWQ6IIm9jZj5kyhHMSGTfMV1KramijuIQ61Lh4JuwhDKy5sdv4lPBppbXLx9SLeTS6Kn4usBfnhOPZZ7l5cpc73VFZYd77s7LnUzNMXxxIpimnULqgLSaHyIqzMQjKsPItp3JQyx5CerGBHz+72bou4eRv4TJR7md171SZI7d8swF+mIEVAJCa+4QbnpduN+YKaqd+XlImpqvGTlKejMnbf5C3VoY6JqyIprHM127oDjSKid9WWwYkCjOIWoJ9cPNs1rEHZ7g0TIw+CKfhqUxdWSSZy1s0xEmvRteTep7wHsWEq3bric1I0yUTA1xPBeKNpfYj0KIFBfGvzhZMFqKcVarTu4qW7iA/0/ou6h8oRON7pvR/Drqz1sh2V/nTyeLJBoScoTC2kP+Z5joN7z4enaTfObIPJ73aAl7nk82ybN7HgXREVh9sTgLim/ZFJ5ILI8FVqHlTjEcHZYzg3iLhWWXwtL8duCV9PO06EahABTLaH/dJMlgRfEm+xqei1EiLMQRE1A3wjzPysQesfpyIP7QZIIOwr8Fac1720ciptOJHnqRhOYMUatUHgvBfyvSdxZFncyCHH8s5lxNPR9Ckhzt/OyLoXmbZmd7lnu+m7uljsgn0XpsdfOO+Hb6A8sp3Lny7Crg5eEH7FkVTGHF1dB5sUfLHUBgegCLm9az5mP4IHm53G3d6FaRVSjxbt/cmY1A4yoMWgbu753WBLmKf7XoP0a3ATliu2meo4ycXIQcFDZxSBsE/n8lIc9Rjs7JH9hU+UalUXvLlk3QUNIdExIuU0zLb9VKS5YYAUp8v1L58qp6JEfI2T1GH8BNpLTSa1mvlaKprJUJIpnWr30WVhfG1wRno7Ou3cF2tpP3xF2pkOU5vy86XhhyxlqE9HTLQYUMojgV8q9ODzUXLbxWzK/ZKI3rkrIGFkZmRdr0WffmX91WbitQH63DCEnQ3rutG1DBIXV73QYXkiqmMW8Vu+F6IYaFLPFibpYCvWdqa5euzm4wASrFl7hx59wixe916VrWor7/LR1RwbfRM3ZDHiA9d+r6uLhAvkHE/7GY8XhfjaF3eiso7gDvw56tlyKHcJ9locNvwwauttSLO9tH2h4ABpfxVeWp5cNhRjml3ecGiVDs4vikm7dU4OOrv4FdDu3621TEC0ZAvx3cJzKlwVHqcJLgEQoOC9dwoKN8VJSL1Uo6cd8X/oURNbmKMNyh3jqv8o3J29EtLi4ZBGlmf8ljmlqYy97XCx4/+XmHd8a7VK/ZK+ox1GWo1ve2zhapCJZntBNUx2+Ab5E8v7CAFVcOpXvV+AAAxe3TeLs943LDxb4iTGvD6fIRB4J6ZR6jI+EPw959sgDkaVvANG7Nr72KQ8LuBIgyQfqf+m+iHiUj4SLub8eUbGXr45sj5eH6SVxU0CxrdR34NEWUjCII5KmpCckr5zRxXbaffxgnZdm2vKKO081W1smR0p8/nOBzQ8DI3feQCIChRSRIOORV9wT6RphUcA0b4nNYsG/2swVxRBK8YOLh3g0mmEmUKjzBNi369LJUIgTx1nP/
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014BB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Amcache.hve.15.dr Binary or memory string: vmci.sys
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}2B
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Amcache.hve.15.dr Binary or memory string: VMware20,1
Source: Amcache.hve.15.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.15.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.15.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.15.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.15.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.15.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: tMO4FVIc9l.exe, 00000000.00000003.2147630873.000000000613F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjo
Source: Amcache.hve.15.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.15.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.15.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.15.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Amcache.hve.15.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.15.dr Binary or memory string: vmci.syshbin
Source: RegAsm.exe, 00000019.00000002.2498499806.0000000000B98000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWhf
Source: Amcache.hve.15.dr Binary or memory string: VMware, Inc.
Source: tMO4FVIc9l.exe, 00000000.00000003.2092231965.00000000014C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: tMO4FVIc9l.exe, 00000000.00000003.2153594744.000000000614F000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2153450957.000000000614B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMY
Source: Amcache.hve.15.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.15.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.15.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.15.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.15.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: tMO4FVIc9l.exe, 00000000.00000003.2153450957.000000000614B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}9+DtRuOIzpuPOHMWFCH4SYrrhIIF+VmRVSkbN671zwLeLYomOj6BxuG4WR0H8+Rivo4a5BAWT1bV5dHpshkYrOka+p8vn3VPA9qlgL8Tk27kWvHNRJXPl7UkYvCoDMNFU/36++C/jG6pgvhw/J6+PCmsW1ynBiLNzuR9AXJKT6RtkzVJ5JXS6W4LXIi22NeLtP7Ikk+0n7QDGjovSf2FNmrxFItlk5hpx/2HxYs7bUXx8wlhYhOe6vmYTYhwDGkC95TfsGbkuhMXPDu24Tk7yZ0vkv8IwoJIe02kWQ6IIm9jZj5kyhHMSGTfMV1KramijuIQ61Lh4JuwhDKy5sdv4lPBppbXLx9SLeTS6Kn4usBfnhOPZZ7l5cpc73VFZYd77s7LnUzNMXxxIpimnULqgLSaHyIqzMQjKsPItp3JQyx5CerGBHz+72bou4eRv4TJR7md171SZI7d8swF+mIEVAJCa+4QbnpduN+YKaqd+XlImpqvGTlKejMnbf5C3VoY6JqyIprHM127oDjSKid9WWwYkCjOIWoJ9cPNs1rEHZ7g0TIw+CKfhqUxdWSSZy1s0xEmvRteTep7wHsWEq3bric1I0yUTA1xPBeKNpfYj0KIFBfGvzhZMFqKcVarTu4qW7iA/0/ou6h8oRON7pvR/Drqz1sh2V/nTyeLJBoScoTC2kP+Z5joN7z4enaTfObIPJ73aAl7nk82ybN7HgXREVh9sTgLim/ZFJ5ILI8FVqHlTjEcHZYzg3iLhWWXwtL8duCV9PO06EahABTLaH/dJMlgRfEm+xqei1EiLMQRE1A3wjzPysQesfpyIP7QZIIOwr8Fac1720ciptOJHnqRhOYMUatUHgvBfyvSdxZFncyCHH8s5lxNPR9Ckhzt/OyLoXmbZmd7lnu+m7uljsgn0XpsdfOO+Hb6A8sp3Lny7Crg5eEH7FkVTGHF1dB5sUfLHUBgegCLm9az5mP4IHm53G3d6FaRVSjxbt/cmY1A4yoMWgbu753WBLmKf7XoP0a3ATliu2meo4ycXIQcFDZxSBsE/n8lIc9Rjs7JH9hU+UalUXvLlk3QUNIdExIuU0zLb9VKS5YYAUp8v1L58qp6JEfI2T1GH8BNpLTSa1mvlaKprJUJIpnWr30WVhfG1wRno7Ou3cF2tpP3xF2pkOU5vy86XhhyxlqE9HTLQYUMojgV8q9ODzUXLbxWzK/ZKI3rkrIGFkZmRdr0WffmX91WbitQH63DCEnQ3rutG1DBIXV73QYXkiqmMW8Vu+F6IYaFLPFibpYCvWdqa5euzm4wASrFl7hx59wixe916VrWor7/LR1RwbfRM3ZDHiA9d+r6uLhAvkHE/7GY8XhfjaF3eiso7gDvw56tlyKHcJ9locNvwwauttSLO9tH2h4ABpfxVeWp5cNhRjml3ecGiVDs4vikm7dU4OOrv4FdDu3621TEC0ZAvx3cJzKlwVHqcJLgEQoOC9dwoKN8VJSL1Uo6cd8X/oURNbmKMNyh3jqv8o3J29EtLi4ZBGlmf8ljmlqYy97XCx4/+XmHd8a7VK/ZK+ox1GWo1ve2zhapCJZntBNUx2+Ab5E8v7CAFVcOpXvV+AAAxe3TeLs943LDxb4iTGvD6fIRB4J6ZR6jI+EPw959sgDkaVvANG7Nr72KQ8LuBIgyQfqf+m+iHiUj4SLub8eUbGXr45sj5eH6SVxU0CxrdR34NEWUjCII5KmpCckr5zRxXbaffxgnZdm2vKKO081W1smR0p8/nOBzQ8DI3feQCIChRSRIOORV9wT6RphUcA0b4nNYsG/2swVxRBK8YOLh3g0mmEmUKjzBNi369LJUIgTx1nP/O
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014BB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.15.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.15.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: tMO4FVIc9l.exe, 00000000.00000003.2148941162.0000000006135000.00000004.00000020.00020000.00000000.sdmp, tMO4FVIc9l.exe, 00000000.00000003.2148994056.000000000613C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: H4sIAAAAAAAAAN1ca2/juJL9K4t8HTmj9yMX+8Fxko5n8vDETvruvX0RyBJtK5EljSQn7R3Mf99TpJ62JbtngcXFAoOeSKwqFovFqlMk5T/ORnG0CJbjq+zs4uyPb2fXo+m3s4tvZ5PB00CRbdWw5IEyUBRpMrga6Kpm2wN1YH47k0DqL1lB+3dQqLKsaGhUZKl4YRi2BmateFY02zHxbIhn2dY1E60Ds3h2FFs3IcAoGGTLcNAdRBQUIJEVg/ovCXRTUepndOmYat2jrNqqBuWNgaGWfVqqYuH/A7XSSjYMFTLKZ4wZnSoDq3yWLctBu1VqqSoq0Tvls2kackMH2VC0hk6yY6kauAdK1YEOJdCBUz5rjqnXCsiOI9ty3S7bjmWQ0fkccAYVJE2NYXm7oaGpGZZBZqsZFINmRi/NhkE1JoKGaDoNszmOabSeDdNsdoAhqa2JxMTaA32gVAQwqd4QAI0UvWkTXdZhkfoZE6U0TaBamt16Vgy7Kc+2bWdgVDaVbdMg11EGdjlGh/5rjBlWtPTGGGxHNbizVc+K4jRUVDSTT3vVbplmc1ptQzHMhkq26tgGqaRUL+CemIWyQ90yoB9UqAgwD2rDipajW1qjB902uTNXg7QsQ2sxWAq3YukomCXHGWjQSrFLQ1myYjesoGsa962KwFIMp+UakCJDy6odhtAaM2XJMqa+HpVhGlpTBxNKtWbKVFWnXk2yIcO0TXrFkVXy1YpAk83mIA1b0dWmADin2Ry0amE1qdpAr8eo0kxiMuSSRsf0NpQyVNXQyV9LAsQESKgDDWxvI+5plRl0mqyGVphMRWs8q6am0mSrpUR0YjkNNeEv5G7awCnfaJaJwFQPjJtiAJ5SpmbKttIMZpYu80BSdSqT7Rsuq+o8GtZ9WpgqUKjFMBRL1uXGutdkzajoHcuBUZyBXTwqKixgDQxyV54KHBvuiWWsly+og4Ep/POJh2vbgHq2cPEnsU5NpTT0E7eb7hgDW4yBv9DhxgOKJnbxBmnBgRS1lGtbWAgU/kzxaGoyOahRPGoy5RS4kFALDm+SUrolLecKY4quXOi6Zcu6pL3Jy6Vumhe6ptiWJaUsY/k8iJZEIJuy5CmBjUiiXuiqqUPlzySOMjdXXw0ZJOQE0tubykzHhgxVtWxFchxjpSH0oB0Ly5Qc/22OWXDQhwVrS/OFt7Rs1cIzQpwp5c7vqRsFazcP4oit3SB0N3m8CMIQFI7hKBIWmEYBmHo0TEVic19bKhaNwjAR3fJkEMaks+aAVJrLylug2cYF9Y8OAmWpLk1ZJwU0w5GcxYItHRoTsgYWBNMsF2tKJXrbBj/G763c/PcNSwOWvRqvwTqBZTLo9/oZ5KvXlPlByrz8dZOGGcQgucCWvqvNNT5O3VEcyTdt31cd6tZQHZiOzQcZC8E22ETZKkgudAP+oUn2G+KcQQbBErMtKVCZBX1tsjmSu2SuFLZCAqXhI9FKzFE906Z2Be2GpMiub+uyTB2beHZ83XMdHeNHIAN/4LMoDxZbf05vsAqlTzcMWZ5kn2EQvW8S382ZMJYjBW++Y1oatCZgYUqKp9u6TaNSIF2TEDvtQNfQGaUsS7L0JVKfbZGyWA+S5rE3OIx9oWGlORaMqS90h6xgIArp0pvuywtTd7hyCA1zsj5AzYXmAOlYkuN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.00000000014FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: Amcache.hve.15.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.15.dr Binary or memory string: \driver\vmci,\driver\pci
Source: RegAsm.exe, 0000000B.00000002.2352554407.00000000012E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWM
Source: Amcache.hve.15.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Amcache.hve.15.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: outlook.office.comVMware20,11696487552s
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: ZvP9NIG0u2hrWeb Data.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: RegAsm.exe, 00000015.00000002.2456254141.00000000014A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWB
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_00A6400F rdtsc 0_2_00A6400F
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 12_2_00436340 LdrInitializeThunk, 12_2_00436340
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: 7_2_004E8CD3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_004E8CD3
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: 7_2_004EC11D mov ecx, dword ptr fs:[00000030h] 7_2_004EC11D
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: 7_2_004F53CE mov eax, dword ptr fs:[00000030h] 7_2_004F53CE
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Code function: 9_2_00BFC11D mov ecx, dword ptr fs:[00000030h] 9_2_00BFC11D
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Code function: 9_2_00C053CE mov eax, dword ptr fs:[00000030h] 9_2_00C053CE
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: 17_2_00E9C11D mov ecx, dword ptr fs:[00000030h] 17_2_00E9C11D
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: 17_2_00EA53CE mov eax, dword ptr fs:[00000030h] 17_2_00EA53CE
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: 20_2_00E9C11D mov ecx, dword ptr fs:[00000030h] 20_2_00E9C11D
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: 20_2_00EA53CE mov eax, dword ptr fs:[00000030h] 20_2_00EA53CE
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: 7_2_004F79CD GetProcessHeap, 7_2_004F79CD
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: 7_2_004E8CD3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_004E8CD3
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: 7_2_004E4D66 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_004E4D66
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: 7_2_004E4EC2 SetUnhandledExceptionFilter, 7_2_004E4EC2
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: 7_2_004E4FF9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_004E4FF9
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Code function: 9_2_00BF8CD3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_00BF8CD3
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Code function: 9_2_00BF4D66 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_00BF4D66
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Code function: 9_2_00BF4EC2 SetUnhandledExceptionFilter, 9_2_00BF4EC2
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Code function: 9_2_00BF4FF9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_00BF4FF9
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: 17_2_00E98CD3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_00E98CD3
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: 17_2_00E94D66 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_00E94D66
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: 17_2_00E94EC2 SetUnhandledExceptionFilter, 17_2_00E94EC2
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: 17_2_00E94FF9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 17_2_00E94FF9
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: 20_2_00E98CD3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_00E98CD3
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: 20_2_00E94D66 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_00E94D66
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: 20_2_00E94EC2 SetUnhandledExceptionFilter, 20_2_00E94EC2
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: 20_2_00E94FF9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_00E94FF9

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Contains functionality to inject code into remote processes
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: 7_2_00C4018D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread, 7_2_00C4018D
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
LummaC encrypted strings found
Source: xq6J5KlULX6jlR3rET0T.exe, 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmp String found in binary or memory: roomabolishsnifftwk.shop
Source: xq6J5KlULX6jlR3rET0T.exe, 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmp String found in binary or memory: civilianurinedtsraov.shop
Source: xq6J5KlULX6jlR3rET0T.exe, 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmp String found in binary or memory: stalfbaclcalorieeis.shop
Source: xq6J5KlULX6jlR3rET0T.exe, 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmp String found in binary or memory: employhabragaomlsp.shop
Source: xq6J5KlULX6jlR3rET0T.exe, 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmp String found in binary or memory: femininiespywageg.shop
Source: xq6J5KlULX6jlR3rET0T.exe, 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmp String found in binary or memory: averageaattractiionsl.shop
Source: xq6J5KlULX6jlR3rET0T.exe, 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmp String found in binary or memory: buttockdecarderwiso.shop
Source: xq6J5KlULX6jlR3rET0T.exe, 00000007.00000002.2181029964.0000000000507000.00000004.00000001.01000000.00000006.sdmp String found in binary or memory: museumtespaceorsp.shop
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43B000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43F000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 6DE008 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43B000 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43F000 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E76008 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43B000 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43F000 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C48008 Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43B000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43F000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 11B6008
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43B000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43F000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 9CC008
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Process created: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe "C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_00A14699 cpuid 0_2_00A14699
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: EnumSystemLocalesW, 7_2_004F70F4
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: EnumSystemLocalesW, 7_2_004F70A9
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: EnumSystemLocalesW, 7_2_004F718F
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 7_2_004F721A
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: GetLocaleInfoW, 7_2_004EF305
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: GetLocaleInfoW, 7_2_004F746D
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: EnumSystemLocalesW, 7_2_004EEDDF
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 7_2_004F7596
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 7_2_004F6E07
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: GetLocaleInfoW, 7_2_004F769C
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 7_2_004F776B
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Code function: EnumSystemLocalesW, 9_2_00C070F4
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Code function: EnumSystemLocalesW, 9_2_00C070A9
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Code function: EnumSystemLocalesW, 9_2_00C0718F
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 9_2_00C0721A
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Code function: GetLocaleInfoW, 9_2_00BFF305
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Code function: GetLocaleInfoW, 9_2_00C0746D
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 9_2_00C07596
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Code function: EnumSystemLocalesW, 9_2_00BFEDDF
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Code function: GetLocaleInfoW, 9_2_00C0769C
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 9_2_00C06E07
Source: C:\ProgramData\MSIUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\MSIUpdaterV202.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 9_2_00C0776B
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: EnumSystemLocalesW, 17_2_00EA70F4
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: EnumSystemLocalesW, 17_2_00EA70A9
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: EnumSystemLocalesW, 17_2_00EA718F
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 17_2_00EA721A
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: GetLocaleInfoW, 17_2_00E9F305
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: GetLocaleInfoW, 17_2_00EA746D
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: EnumSystemLocalesW, 17_2_00E9EDDF
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 17_2_00EA7596
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: GetLocaleInfoW, 17_2_00EA769C
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 17_2_00EA6E07
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 17_2_00EA776B
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: EnumSystemLocalesW, 20_2_00EA70F4
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: EnumSystemLocalesW, 20_2_00EA70A9
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: EnumSystemLocalesW, 20_2_00EA718F
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 20_2_00EA721A
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: GetLocaleInfoW, 20_2_00E9F305
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: GetLocaleInfoW, 20_2_00EA746D
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: EnumSystemLocalesW, 20_2_00E9EDDF
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 20_2_00EA7596
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: GetLocaleInfoW, 20_2_00EA769C
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 20_2_00EA6E07
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_55fe1070a367c8a2ee8e8e5d74ec3cf7\AdobeUpdaterV202.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 20_2_00EA776B
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\spanDxygJpUhAdhw\xq6J5KlULX6jlR3rET0T.exe Code function: 7_2_004E4C60 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 7_2_004E4C60
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Code function: 0_2_00AA623D GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA, 0_2_00AA623D
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.15.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.15.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.15.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.15.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: RegAsm.exe, 00000008.00000002.2350449893.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000015.00000002.2456519007.0000000001505000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000019.00000002.2498499806.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.15.dr Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5920, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 500, type: MEMORYSTR
Yara detected RisePro Stealer
Source: Yara match File source: 00000000.00000003.2155682026.0000000006044000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2259208520.000000000611B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tMO4FVIc9l.exe PID: 3108, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\KBHGMwjOItm_DLNJJFRnML7.zip, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Electrum\wallets
Source: RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/JAXX New Version
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.0000000001548000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: v\user\AppData\Roaming\Exodus\exodus.wallet
Source: tMO4FVIc9l.exe, 00000000.00000002.2258511211.0000000001548000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: v\user\AppData\Roaming\Exodus\exodus.wallet
Source: RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Ethereum
Source: RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: RegAsm.exe, 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: RegAsm.exe, 0000000C.00000002.2244993517.000000000118F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\formhistory.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\signons.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\logins.json Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\signons.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\tMO4FVIc9l.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Searches for user specific document files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\SQSJKEBWDT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\DUUDTUBZFW Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Yara detected Credential Stealer
Source: Yara match File source: 00000008.00000002.2350449893.00000000009C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tMO4FVIc9l.exe PID: 3108, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 500, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4340, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5920, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 3160, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5920, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 500, type: MEMORYSTR
Yara detected RisePro Stealer
Source: Yara match File source: 00000000.00000003.2155682026.0000000006044000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2259208520.000000000611B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tMO4FVIc9l.exe PID: 3108, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\KBHGMwjOItm_DLNJJFRnML7.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446871 Sample: tMO4FVIc9l.exe Startdate: 24/05/2024 Architecture: WINDOWS Score: 100 52 employhabragaomlsp.shop 2->52 54 ipinfo.io 2->54 56 db-ip.com 2->56 66 Snort IDS alert for network traffic 2->66 68 Found malware configuration 2->68 70 Antivirus detection for URL or domain 2->70 72 10 other signatures 2->72 8 tMO4FVIc9l.exe 1 77 2->8         started        13 MSIUpdaterV202.exe 2->13         started        15 AdobeUpdaterV202.exe 2->15         started        17 4 other processes 2->17 signatures3 process4 dnsIp5 60 5.42.65.116, 49710, 49714, 50500 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 8->60 62 ipinfo.io 34.117.186.192, 443, 49711 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->62 64 db-ip.com 104.26.5.15, 443, 49712 CLOUDFLARENETUS United States 8->64 44 C:\Users\user\...\xq6J5KlULX6jlR3rET0T.exe, PE32 8->44 dropped 46 C:\Users\user\AppData\...\lumma2305[1].exe, PE32 8->46 dropped 48 C:\Users\user\...\AdobeUpdaterV202.exe, PE32 8->48 dropped 50 2 other malicious files 8->50 dropped 96 Tries to steal Mail credentials (via file / registry access) 8->96 98 Found many strings related to Crypto-Wallets (likely being stolen) 8->98 100 Uses schtasks.exe or at.exe to add and modify task schedules 8->100 102 Tries to harvest and steal browser information (history, passwords, etc) 8->102 19 xq6J5KlULX6jlR3rET0T.exe 8->19         started        22 schtasks.exe 1 8->22         started        24 schtasks.exe 1 8->24         started        26 WerFault.exe 8->26         started        104 Antivirus detection for dropped file 13->104 106 Multi AV Scanner detection for dropped file 13->106 108 Machine Learning detection for dropped file 13->108 28 RegAsm.exe 13->28         started        110 Writes to foreign memory regions 15->110 112 Allocates memory in foreign processes 15->112 114 Injects a PE file into a foreign processes 15->114 30 RegAsm.exe 15->30         started        32 RegAsm.exe 17->32         started        34 RegAsm.exe 17->34         started        file6 signatures7 process8 signatures9 74 Antivirus detection for dropped file 19->74 76 Multi AV Scanner detection for dropped file 19->76 78 Machine Learning detection for dropped file 19->78 88 5 other signatures 19->88 36 RegAsm.exe 19->36         started        40 conhost.exe 22->40         started        42 conhost.exe 24->42         started        80 Query firmware table information (likely to detect VMs) 30->80 82 Tries to harvest and steal browser information (history, passwords, etc) 30->82 84 Tries to steal Crypto Currency Wallets 30->84 86 Found many strings related to Crypto-Wallets (likely being stolen) 32->86 process10 dnsIp11 58 employhabragaomlsp.shop 188.114.96.3, 443, 49715, 49716 CLOUDFLARENETUS European Union 36->58 90 Query firmware table information (likely to detect VMs) 36->90 92 Found many strings related to Crypto-Wallets (likely being stolen) 36->92 94 Tries to steal Crypto Currency Wallets 36->94 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
188.114.96.3
 employhabragaomlsp.shop European Union
13335 CLOUDFLARENETUS true
104.26.5.15
 db-ip.com United States
13335 CLOUDFLARENETUS false
5.42.65.116
 unknown Russian Federation
39493 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU true

Contacted Domains

Name IP Active
employhabragaomlsp.shop 188.114.96.3 true
ipinfo.io 34.117.186.192 true
db-ip.com 104.26.5.15 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
averageaattractiionsl.shop true
  • Avira URL Cloud: safe
 unknown
https://db-ip.com/demo/home.php?s=8.46.123.175 false
  • Avira URL Cloud: safe
 unknown
buttockdecarderwiso.shop true
  • Avira URL Cloud: safe
 unknown
employhabragaomlsp.shop true
  • Avira URL Cloud: safe
 unknown
http://5.42.65.116/lumma2305.exe true
  • Avira URL Cloud: phishing
 unknown
roomabolishsnifftwk.shop true
  • Avira URL Cloud: safe
 unknown
https://employhabragaomlsp.shop/api true
  • Avira URL Cloud: safe
 unknown
femininiespywageg.shop true
  • Avira URL Cloud: safe
 unknown
https://ipinfo.io/widget/demo/8.46.123.175 false
  • Avira URL Cloud: safe
 unknown
civilianurinedtsraov.shop true
  • Avira URL Cloud: safe
 unknown
museumtespaceorsp.shop true
  • Avira URL Cloud: safe
 unknown
stalfbaclcalorieeis.shop true
  • Avira URL Cloud: safe
 unknown