Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1604558
MD5: 110428c5134fdb8bfb75f12f70802d20
SHA1: 245c9ba68a249cc09d0599d35c71dd2e7f94b8de
SHA256: 531a04314ef78658a5b42e55068fdb73bc2f9a9e26142ee1e0f0478fa0e6d080
Tags: de-pumpedexeuser-abuse_ch
Infos:

Detection

LummaC Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected UAC Bypass using CMSTP
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries device information via Setup API
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://u2.servicelandingkaraoke.shop/j( Avira URL Cloud: Label: malware
Source: https://toppyneedus.biz/Wg Avira URL Cloud: Label: malware
Source: https://toppyneedus.biz/o9KO3fvYKCIahJmiAh Avira URL Cloud: Label: malware
Source: https://cegu.shop/Q Avira URL Cloud: Label: malware
Source: https://u2.servicelandingkaraoke.shop/cp_sh.eml Avira URL Cloud: Label: malware
Source: https://toppyneedus.biz:443/apiO% Avira URL Cloud: Label: malware
Source: https://u2.servicelandingkaraoke.shop:443/cp_sh.eml Avira URL Cloud: Label: malware
Source: https://u2.servicelandingkaraoke.shop/ Avira URL Cloud: Label: malware
Source: https://cegu.shop/W Avira URL Cloud: Label: malware
Source: https://cegu.shop/8574262446/ph.txtE Avira URL Cloud: Label: malware
Source: https://u2.servicelandingkaraoke.shop/cp_sh.emlONNA Avira URL Cloud: Label: malware
Source: https://toppyneedus.biz/ts Avira URL Cloud: Label: malware
Source: https://toppyneedus.biz:443/apin Avira URL Cloud: Label: malware
Source: https://toppyneedus.biz/z7 Avira URL Cloud: Label: malware
Source: https://toppyneedus.biz/r Avira URL Cloud: Label: malware
Source: https://cegu.shop:443/8574262446/ph.txtiVirusProductWindows Avira URL Cloud: Label: malware
Source: https://u2.servicelandingkaraoke.shop/cp_sh.emlY Avira URL Cloud: Label: malware
Source: https://toppyneedus.biz/pi% Avira URL Cloud: Label: malware
Source: https://toppyneedus.biz/apiLT Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ubtqn Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\mkkmikiccu Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Found malware configuration
Source: file.exe.7272.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": "https://toppyneedus.biz/api", "Build Version": "hRjzG3--TRON"}
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 12% Perma Link
Source: file.exe ReversingLabs: Detection: 13%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ubtqn Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\mkkmikiccu Joe Sandbox ML: detected

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 9.2.iTunesHelper.exe.2231a1cbb02.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.more.com.49f5b9e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.more.com.4ee3c6b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.more.com.4d9eb9e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.iTunesHelper.exe.1a671520b02.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.iTunesHelper.exe.204b5878702.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.iTunesHelper.exe.2231a1cc702.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.updater.exe.3b2b86b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.more.com.4de486b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.updater.exe.378dc6b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.updater.exe.3748b9e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.updater.exe.378e86b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.iTunesHelper.exe.204b5832a35.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.more.com.4a3b86b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.more.com.4de3c6b.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.iTunesHelper.exe.204b5877b02.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.more.com.4ee486b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.iTunesHelper.exe.1593bfd2702.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.more.com.4a3ac6b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.updater.exe.3b2ac6b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.iTunesHelper.exe.1a6714dba35.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.iTunesHelper.exe.2231a186a35.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.iTunesHelper.exe.1a671521702.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.more.com.4e9eb9e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.updater.exe.3ae5b9e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.iTunesHelper.exe.1593bf8ca35.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.iTunesHelper.exe.1593bfd1b02.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2609767471.0000000003742000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2515668453.0000000004E98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2467634797.000002231A180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2497776328.0000000003020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2593595925.0000000004D98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2522601354.00000204B582C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2429206078.000001593BF86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2439278082.000001A6714D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2498814622.00000000049EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2595347359.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.9:49810 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.9:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.9:49825 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.9:49832 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.9:49839 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.9:49852 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.9:49857 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.9:49870 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.9:49885 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49891 version: TLS 1.2
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: iTunesHelper.exe, 00000005.00000002.2420389290.0000015931BAC000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2432754582.00007FF8FF545000.00000002.00000001.01000000.0000000F.sdmp, iTunesHelper.exe, 00000006.00000002.2443005994.00007FF8FDE05000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: D:\BWA\3C094522-C7EC-0\objc4-528.1\srcroot\win32\x64\Release\objc.pdb44 source: file.exe, 00000000.00000003.1890920893.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2433093301.00007FF8FF5C8000.00000002.00000001.01000000.0000000A.sdmp, iTunesHelper.exe, 00000006.00000002.2442776246.00007FF8F9018000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: file.exe, 00000000.00000003.1890641798.0000000005B86000.00000004.00000800.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2431530186.00007FF8F8386000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdbGCTL source: file.exe, 00000000.00000003.1890641798.0000000005B86000.00000004.00000800.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2431530186.00007FF8F8386000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: D:\BWA\32982D95-6B3A-0\libdispatch-244.1.23\srcroot\vsprojects\Release\libdispatch.pdb source: iTunesHelper.exe, 00000005.00000002.2432917960.00007FF8FF562000.00000002.00000001.01000000.0000000B.sdmp, iTunesHelper.exe, 00000006.00000002.2442664031.00007FF8F8BC2000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\iTunes\iPodSupport\(Win32)\BuildResults\Production64\bin\iTunesHelper.pdb source: iTunesHelper.exe, 00000005.00000000.2220938190.00007FF65169E000.00000002.00000001.01000000.00000007.sdmp, iTunesHelper.exe, 00000005.00000002.2430562413.00007FF65169E000.00000002.00000001.01000000.00000007.sdmp, iTunesHelper.exe, 00000006.00000000.2419996203.00007FF72C63E000.00000002.00000001.01000000.00000013.sdmp, iTunesHelper.exe, 00000006.00000002.2441252540.00007FF72C63E000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: D:\BWA\5580C191-5A7D-0\WinASL-55\srcroot\Release\x64\ASL.pdb source: iTunesHelper.exe, 00000005.00000002.2433539766.00007FF8FF5EC000.00000002.00000001.01000000.00000009.sdmp, iTunesHelper.exe, 00000006.00000002.2442904431.00007FF8F9D6C000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: ntdll.pdb source: iTunesHelper.exe, 00000005.00000002.2429944474.000001593C690000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2430172305.000001593CA90000.00000004.00000800.00020000.00000000.sdmp, iTunesHelper.exe, 00000006.00000002.2439948092.000001A671BEF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\BWA\C6C59E02-D7F8-0\ICU-62110.3.8\objroot\obj64\lib\libicuin.pdb source: iTunesHelper.exe, 00000005.00000002.2431155550.00007FF8E8358000.00000002.00000001.01000000.00000010.sdmp, iTunesHelper.exe, 00000006.00000002.2441520136.00007FF8E77B8000.00000002.00000001.01000000.00000019.sdmp
Source: Binary string: ntdll.pdbUGP source: iTunesHelper.exe, 00000005.00000002.2429944474.000001593C690000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2430172305.000001593CA90000.00000004.00000800.00020000.00000000.sdmp, iTunesHelper.exe, 00000006.00000002.2439948092.000001A671BEF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\BWA\32982D95-6B3A-0\libdispatch-244.1.23\srcroot\vsprojects\Release\libdispatch.pdb!! source: iTunesHelper.exe, 00000005.00000002.2432917960.00007FF8FF562000.00000002.00000001.01000000.0000000B.sdmp, iTunesHelper.exe, 00000006.00000002.2442664031.00007FF8F8BC2000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: D:\BWA\C5E719F6-483C-0\CF_x64-750.443\objroot\CoreFoundation.build\x64\Release\CoreFoundation.pdbvv source: file.exe, 00000000.00000003.2204000836.00000000087FE000.00000004.00000800.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2431895251.00007FF8F8578000.00000002.00000001.01000000.00000008.sdmp, iTunesHelper.exe, 00000006.00000002.2442155654.00007FF8E8158000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: D:\BWA\3C094522-C7EC-0\objc4-528.1\srcroot\win32\x64\Release\objc.pdb source: file.exe, 00000000.00000003.1890920893.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2433093301.00007FF8FF5C8000.00000002.00000001.01000000.0000000A.sdmp, iTunesHelper.exe, 00000006.00000002.2442776246.00007FF8F9018000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: D:\BWA\C5E719F6-483C-0\CF_x64-750.443\objroot\CoreFoundation.build\x64\Release\CoreFoundation.pdb source: file.exe, 00000000.00000003.2204000836.00000000087FE000.00000004.00000800.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2431895251.00007FF8F8578000.00000002.00000001.01000000.00000008.sdmp, iTunesHelper.exe, 00000006.00000002.2442155654.00007FF8E8158000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: file.exe, 00000000.00000003.1893931582.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2420389290.0000015931BAC000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2432289672.00007FF8FDE21000.00000002.00000001.01000000.0000000D.sdmp, iTunesHelper.exe, 00000006.00000002.2442558070.00007FF8F8BA1000.00000002.00000001.01000000.0000001A.sdmp, iTunesHelper.exe, 00000011.00000002.2526960989.00007FF8FDE21000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: D:\BWA\C6C59E02-D7F8-0\ICU-62110.3.8\objroot\obj64\lib\libicuuc.pdb source: file.exe, 00000000.00000003.1890147478.0000000005B80000.00000004.00000800.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2432542835.00007FF8FDF05000.00000002.00000001.01000000.0000000C.sdmp, iTunesHelper.exe, 00000006.00000002.2441842650.00007FF8E7965000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: file.exe, 00000000.00000003.1893931582.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2420389290.0000015931BAC000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2432289672.00007FF8FDE21000.00000002.00000001.01000000.0000000D.sdmp, iTunesHelper.exe, 00000006.00000002.2442558070.00007FF8F8BA1000.00000002.00000001.01000000.0000001A.sdmp, iTunesHelper.exe, 00000011.00000002.2526960989.00007FF8FDE21000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: iTunesHelper.exe, 00000005.00000002.2420389290.0000015931BAC000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2432754582.00007FF8FF545000.00000002.00000001.01000000.0000000F.sdmp, iTunesHelper.exe, 00000006.00000002.2443005994.00007FF8FDE05000.00000002.00000001.01000000.0000001C.sdmp
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF6516943C4 FindFirstFileExW, 5_2_00007FF6516943C4
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651674790 WideCharToMultiByte,WideCharToMultiByte,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose, 5_2_00007FF651674790
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F833A260 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn, 5_2_00007FF8F833A260

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2059423 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) : 192.168.2.9:49990 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2059771 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) : 192.168.2.9:49990 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.9:49810 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2059772 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.9:49810 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2059646 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (guardeduppe .com) : 192.168.2.9:59297 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2059769 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (guardeduppe .com) : 192.168.2.9:59297 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.9:49832 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2059772 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.9:49832 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.9:49816 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2059772 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.9:49816 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.9:49839 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.9:49857 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2059772 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.9:49857 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2059772 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.9:49839 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.9:49870 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2059772 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.9:49870 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.9:49852 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2059772 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.9:49852 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.9:49825 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2059772 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.9:49825 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2059424 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.9:49885 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2059772 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) : 192.168.2.9:49885 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:49810 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49810 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.9:49852 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.9:49816 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49816 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49885 -> 104.21.29.142:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://toppyneedus.biz/api
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.9:60643 -> 162.159.36.2:53
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 104.21.29.142 104.21.29.142
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49810 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49832 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49816 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49857 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49839 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49870 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49852 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49891 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49825 -> 104.21.29.142:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49885 -> 104.21.29.142:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 78Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=R0KJCADPGWYCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12808Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=MAKKNF5BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15002Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HDFALNDQ4FN7OUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20548Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=TRCZVM4JHTAAB8EHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7117Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QZ7MHHYCK90OPPWWEQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2367Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=RXKVJYPRZ7E3YNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 588830Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 113Host: toppyneedus.biz
Source: global traffic HTTP traffic detected: GET /cp_sh.eml HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: u2.servicelandingkaraoke.shop
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /cp_sh.eml HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: u2.servicelandingkaraoke.shop
Source: global traffic HTTP traffic detected: GET /profiles/76561198446647282 HTTP/1.1Host: steamcommunity.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic HTTP traffic detected: GET /profiles/76561198803575301 HTTP/1.1Host: steamcommunity.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic DNS traffic detected: DNS query: entrepreneurstop.top
Source: global traffic DNS traffic detected: DNS query: guardeduppe.com
Source: global traffic DNS traffic detected: DNS query: toppyneedus.biz
Source: global traffic DNS traffic detected: DNS query: cegu.shop
Source: global traffic DNS traffic detected: DNS query: u2.servicelandingkaraoke.shop
Source: global traffic DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: toppyneedus.biz
Source: file.exe, 00000000.00000003.1890147478.0000000005B80000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1890920893.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000003.2419538416.000001593CC96000.00000004.00000001.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2420389290.0000015931BAC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe, 00000000.00000003.1561679409.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.1561679409.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000000.00000003.1890147478.0000000005B80000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1890920893.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000003.2419538416.000001593CC96000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe, 00000000.00000003.1890147478.0000000005B80000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1890920893.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000003.2419538416.000001593CC96000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe, 00000000.00000003.1890147478.0000000005B80000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1890920893.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000003.2419538416.000001593CC96000.00000004.00000001.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2420389290.0000015931BAC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe, 00000000.00000003.1561679409.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.1890147478.0000000005B80000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1890920893.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000003.2419538416.000001593CC96000.00000004.00000001.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2420389290.0000015931BAC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe, 00000000.00000003.1561679409.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.1561679409.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.1890147478.0000000005B80000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1890920893.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000003.2419538416.000001593CC96000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe, 00000000.00000003.1890147478.0000000005B80000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1890920893.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000003.2419538416.000001593CC96000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: iTunesHelper.exe, 00000005.00000003.2419538416.000001593CC96000.00000004.00000001.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2420389290.0000015931BAC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe, 00000000.00000003.1561679409.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.1890147478.0000000005B80000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1890920893.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000003.2419538416.000001593CC96000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.exe, 00000000.00000003.1561679409.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000000.00000003.1890147478.0000000005B80000.00000004.00000800.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000003.2419538416.000001593CC96000.00000004.00000001.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2432658553.00007FF8FDFB0000.00000002.00000001.01000000.0000000C.sdmp, iTunesHelper.exe, 00000005.00000002.2431444227.00007FF8E8427000.00000002.00000001.01000000.00000010.sdmp, iTunesHelper.exe, 00000005.00000002.2420782623.00000159334E0000.00000002.00000001.01000000.00000011.sdmp, iTunesHelper.exe, 00000006.00000002.2441942432.00007FF8E7A10000.00000002.00000001.01000000.00000018.sdmp String found in binary or memory: http://icu-project.org
Source: file.exe, 00000000.00000003.1561679409.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1890147478.0000000005B80000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1890920893.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000003.2419538416.000001593CC96000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.1890147478.0000000005B80000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1890920893.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000003.2419538416.000001593CC96000.00000004.00000001.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2420389290.0000015931BAC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe, 00000000.00000003.1890147478.0000000005B80000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1890920893.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000003.2419538416.000001593CC96000.00000004.00000001.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2420389290.0000015931BAC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe, 00000000.00000003.1890147478.0000000005B80000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1890920893.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000003.2419538416.000001593CC96000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, 00000000.00000003.1561679409.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: file.exe, 00000000.00000003.1890147478.0000000005B80000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1890920893.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000003.2419538416.000001593CC96000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.apple.com/
Source: iTunesHelper.exe, 00000005.00000002.2431895251.00007FF8F854C000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: file.exe, 00000000.00000003.1890147478.0000000005B80000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1890920893.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000003.2419538416.000001593CC96000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: iTunesHelper.exe, 00000005.00000002.2429206078.000001593BF2F000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000007.00000002.2515668453.0000000004E4F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.info-zip.org/
Source: iTunesHelper.exe, 00000006.00000002.2433247775.000001A667FF9000.00000002.00000001.01000000.0000001D.sdmp String found in binary or memory: http://www.unicode.org/copyright.html
Source: file.exe, 00000000.00000003.1561679409.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.1561679409.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000000.00000003.1536587829.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1536465633.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1536335892.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.1536587829.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1536465633.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1536335892.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe String found in binary or memory: https://cegu.shop/
Source: file.exe, file.exe, 00000000.00000003.1889206855.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cegu.shop/8574262446/ph.txt
Source: file.exe, 00000000.00000003.1889206855.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cegu.shop/8574262446/ph.txtE
Source: file.exe, 00000000.00000003.1889206855.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cegu.shop/Q
Source: file.exe, 00000000.00000003.1889206855.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cegu.shop/W
Source: file.exe String found in binary or memory: https://cegu.shop:443/8574262446/ph.txt
Source: file.exe, 00000000.00000003.1889206855.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cegu.shop:443/8574262446/ph.txtiVirusProductWindows
Source: file.exe, 00000000.00000003.1536587829.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1536465633.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1536335892.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1536587829.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1536465633.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1536335892.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.1536587829.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1536465633.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1536335892.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1536587829.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1536465633.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1536335892.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1536587829.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1536465633.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1536335892.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000003.1562978556.00000000059F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.1562978556.00000000059F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000000.00000003.1888983289.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1615247518.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1616172140.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1625391656.0000000000EA1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1616238798.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1615485997.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/
Source: file.exe, 00000000.00000003.1602423466.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1601418578.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/Wg
Source: file.exe, file.exe, 00000000.00000003.1625391656.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1601639777.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1615503549.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1601418578.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1601620261.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/api
Source: file.exe, 00000000.00000003.1615503549.0000000000E34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/apiLT
Source: file.exe, 00000000.00000003.1601205824.0000000000EC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/o9KO3fvYKCIahJmiAh
Source: file.exe, 00000000.00000003.1888983289.0000000000EA1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1891000798.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/pi
Source: file.exe, 00000000.00000003.1601418578.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1601620261.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/pi%
Source: file.exe, 00000000.00000003.1615247518.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1616172140.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1616238798.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1615485997.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/r
Source: file.exe, 00000000.00000003.1602498961.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1602274983.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1601418578.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1601620261.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/ts
Source: file.exe, 00000000.00000003.1615247518.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz/z7
Source: file.exe, file.exe, 00000000.00000003.1889206855.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1615247518.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1616189895.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1625391656.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1602423466.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1601418578.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz:443/api
Source: file.exe, 00000000.00000003.1889206855.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz:443/apiO%
Source: file.exe, 00000000.00000003.1889206855.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1625391656.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toppyneedus.biz:443/apin
Source: file.exe String found in binary or memory: https://u2.servicelandingkaraoke.shop/
Source: file.exe, file.exe, 00000000.00000003.1889206855.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1888983289.0000000000EA1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1888983289.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1891000798.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://u2.servicelandingkaraoke.shop/cp_sh.eml
Source: file.exe, 00000000.00000003.1888983289.0000000000EA1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1891000798.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://u2.servicelandingkaraoke.shop/cp_sh.emlONNA
Source: file.exe, 00000000.00000003.1889206855.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://u2.servicelandingkaraoke.shop/cp_sh.emlY
Source: file.exe, 00000000.00000003.1889206855.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://u2.servicelandingkaraoke.shop/j(
Source: file.exe, file.exe, 00000000.00000003.1889206855.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://u2.servicelandingkaraoke.shop:443/cp_sh.eml
Source: file.exe, 00000000.00000003.1536587829.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1536465633.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1536335892.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1536587829.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1536465633.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1536335892.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000003.1562978556.00000000059F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
Source: file.exe, 00000000.00000003.1562978556.00000000059F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
Source: file.exe, 00000000.00000003.1562978556.00000000059F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000003.1562978556.00000000059F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.1562978556.00000000059F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000003.1562978556.00000000059F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60730
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.9:49810 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.9:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.9:49825 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.9:49832 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.9:49839 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.9:49852 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.9:49857 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.9:49870 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.29.142:443 -> 192.168.2.9:49885 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49891 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 9.2.iTunesHelper.exe.2231a1cbb02.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.more.com.49f5b9e.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.more.com.4ee3c6b.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.more.com.4d9eb9e.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.iTunesHelper.exe.1a671520b02.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.iTunesHelper.exe.204b5878702.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.iTunesHelper.exe.2231a1cc702.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.updater.exe.3b2b86b.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.more.com.4de486b.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.updater.exe.378dc6b.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.updater.exe.3748b9e.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.updater.exe.378e86b.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.iTunesHelper.exe.204b5832a35.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.more.com.4a3b86b.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.more.com.4de3c6b.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.iTunesHelper.exe.204b5877b02.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.more.com.4ee486b.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.iTunesHelper.exe.1593bfd2702.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.more.com.4a3ac6b.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.updater.exe.3b2ac6b.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.iTunesHelper.exe.1a6714dba35.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.iTunesHelper.exe.2231a186a35.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.iTunesHelper.exe.1a671521702.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.more.com.4e9eb9e.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.updater.exe.3ae5b9e.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.iTunesHelper.exe.1593bf8ca35.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.iTunesHelper.exe.1593bfd1b02.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Binary is likely a compiled AutoIt script file
Source: file.exe, 00000000.00000000.1353085372.0000000000785000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_be4d39c8-2
Source: file.exe, 00000000.00000000.1353085372.0000000000785000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_918d5c75-d
Source: file.exe, 00000000.00000003.1510662930.00000000042A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_e2481cf9-c
Source: file.exe, 00000000.00000003.1510662930.00000000042A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_d8ef9922-f
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF6516751D0: CreateFileW,DeviceIoControl,CloseHandle, 5_2_00007FF6516751D0
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF6516792B0 5_2_00007FF6516792B0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF65169C308 5_2_00007FF65169C308
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF65168C300 5_2_00007FF65168C300
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF6516912C8 5_2_00007FF6516912C8
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF6516842BC 5_2_00007FF6516842BC
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651691948 5_2_00007FF651691948
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF65168C940 5_2_00007FF65168C940
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF6516829FC 5_2_00007FF6516829FC
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF6516751D0 5_2_00007FF6516751D0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF65169351C 5_2_00007FF65169351C
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651675510 5_2_00007FF651675510
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651688CE4 5_2_00007FF651688CE4
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651692CD0 5_2_00007FF651692CD0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651682C08 5_2_00007FF651682C08
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF6516973F8 5_2_00007FF6516973F8
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF6516823E8 5_2_00007FF6516823E8
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF65168A3D4 5_2_00007FF65168A3D4
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF6516753D0 5_2_00007FF6516753D0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF6516943C4 5_2_00007FF6516943C4
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651686EAC 5_2_00007FF651686EAC
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651673670 5_2_00007FF651673670
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651671720 5_2_00007FF651671720
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651689EC8 5_2_00007FF651689EC8
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF6516846C0 5_2_00007FF6516846C0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651690E34 5_2_00007FF651690E34
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651682E0C 5_2_00007FF651682E0C
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651672E00 5_2_00007FF651672E00
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF6516825EC 5_2_00007FF6516825EC
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF6516740A0 5_2_00007FF6516740A0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF65168F068 5_2_00007FF65168F068
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651683928 5_2_00007FF651683928
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651692F4C 5_2_00007FF651692F4C
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651675830 5_2_00007FF651675830
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF6516827F8 5_2_00007FF6516827F8
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E82DC9A0 5_2_00007FF8E82DC9A0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E81DC980 5_2_00007FF8E81DC980
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E81D89E0 5_2_00007FF8E81D89E0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E81F7A70 5_2_00007FF8E81F7A70
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E81DBB30 5_2_00007FF8E81DBB30
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E81F0B90 5_2_00007FF8E81F0B90
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E81F6CB0 5_2_00007FF8E81F6CB0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E81E5CC0 5_2_00007FF8E81E5CC0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E81E2D40 5_2_00007FF8E81E2D40
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E81EAF00 5_2_00007FF8E81EAF00
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E81ECF70 5_2_00007FF8E81ECF70
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E8226070 5_2_00007FF8E8226070
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E829A050 5_2_00007FF8E829A050
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E81F7100 5_2_00007FF8E81F7100
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E81F0110 5_2_00007FF8E81F0110
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E81FF160 5_2_00007FF8E81FF160
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E81F41A0 5_2_00007FF8E81F41A0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E82271B0 5_2_00007FF8E82271B0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E81FD1B0 5_2_00007FF8E81FD1B0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E8212210 5_2_00007FF8E8212210
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E820A240 5_2_00007FF8E820A240
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E81D3320 5_2_00007FF8E81D3320
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E8203360 5_2_00007FF8E8203360
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E8280380 5_2_00007FF8E8280380
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E81D4430 5_2_00007FF8E81D4430
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E81D6710 5_2_00007FF8E81D6710
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E8288780 5_2_00007FF8E8288780
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E820F7E0 5_2_00007FF8E820F7E0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E82D9890 5_2_00007FF8E82D9890
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F834C140 5_2_00007FF8F834C140
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F835B160 5_2_00007FF8F835B160
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F8346A58 5_2_00007FF8F8346A58
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F833FA30 5_2_00007FF8F833FA30
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F834D2B0 5_2_00007FF8F834D2B0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F833B338 5_2_00007FF8F833B338
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F836AAFC 5_2_00007FF8F836AAFC
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F8354B30 5_2_00007FF8F8354B30
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F83463C8 5_2_00007FF8F83463C8
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F836344C 5_2_00007FF8F836344C
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F834E470 5_2_00007FF8F834E470
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F8365470 5_2_00007FF8F8365470
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F834FCD0 5_2_00007FF8F834FCD0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F8364CA0 5_2_00007FF8F8364CA0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F8367540 5_2_00007FF8F8367540
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F8350560 5_2_00007FF8F8350560
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F835250C 5_2_00007FF8F835250C
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F8350E3C 5_2_00007FF8F8350E3C
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F8366650 5_2_00007FF8F8366650
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F8345E60 5_2_00007FF8F8345E60
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F8356668 5_2_00007FF8F8356668
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F836C610 5_2_00007FF8F836C610
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F8369E18 5_2_00007FF8F8369E18
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F835A6C0 5_2_00007FF8F835A6C0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F833C6B0 5_2_00007FF8F833C6B0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F8356EFC 5_2_00007FF8F8356EFC
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F83466FC 5_2_00007FF8F83466FC
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F836FF06 5_2_00007FF8F836FF06
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F836BF18 5_2_00007FF8F836BF18
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F835C720 5_2_00007FF8F835C720
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F834AFD0 5_2_00007FF8F834AFD0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F83557E0 5_2_00007FF8F83557E0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F833D7B0 5_2_00007FF8F833D7B0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F836183C 5_2_00007FF8F836183C
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F833E8D0 5_2_00007FF8F833E8D0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\MsiSleuth\ASL.dll 52659DE729FD277E9CDBDF3AD3F7663C8199FDB5D79E07211F6B77CA2F392BD1
Source: Joe Sandbox View Dropped File: C:\ProgramData\MsiSleuth\CoreFoundation.dll F9538CF255C377A9F4AA616BAA123143A3238F319A6950EFE735C9120204F405
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\ASL.dll 52659DE729FD277E9CDBDF3AD3F7663C8199FDB5D79E07211F6B77CA2F392BD1
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: String function: 00007FF651675F60 appears 32 times
PE file contains executable resources (Code or Archives)
Source: ASL.dll.0.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: ASL.dll.5.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000000.1353177166.0000000000798000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAutoItRun.exeF vs file.exe
Source: file.exe, 00000000.00000003.1890147478.0000000005B80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibicuuc.dll vs file.exe
Source: file.exe, 00000000.00000003.1890920893.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameobjc.dllD vs file.exe
Source: file.exe, 00000000.00000003.2204000836.0000000008882000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCoreFoundation.dll< vs file.exe
Source: file.exe, 00000000.00000003.1890641798.0000000005B86000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsvcp140.dllT vs file.exe
Source: file.exe, 00000000.00000003.1510662930.00000000042B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAutoItRun.exeF vs file.exe
Source: file.exe, 00000000.00000003.1893931582.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevcruntime140.dllT vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 9.2.iTunesHelper.exe.2231a1cbb02.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.more.com.49f5b9e.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.more.com.4ee3c6b.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.more.com.4d9eb9e.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.iTunesHelper.exe.1a671520b02.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.iTunesHelper.exe.204b5878702.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.iTunesHelper.exe.2231a1cc702.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.updater.exe.3b2b86b.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.more.com.4de486b.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.updater.exe.378dc6b.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.updater.exe.3748b9e.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.updater.exe.378e86b.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.iTunesHelper.exe.204b5832a35.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.more.com.4a3b86b.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.more.com.4de3c6b.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.iTunesHelper.exe.204b5877b02.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.more.com.4ee486b.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.iTunesHelper.exe.1593bfd2702.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.more.com.4a3ac6b.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.updater.exe.3b2ac6b.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.iTunesHelper.exe.1a6714dba35.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.iTunesHelper.exe.2231a186a35.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.iTunesHelper.exe.1a671521702.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.more.com.4e9eb9e.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.updater.exe.3ae5b9e.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.iTunesHelper.exe.1593bf8ca35.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.iTunesHelper.exe.1593bfd1b02.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@20/17@7/4
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F833A6F0 GetDiskFreeSpaceExW,_invalid_parameter_noinfo_noreturn, 5_2_00007FF8F833A6F0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF6516721A0 CoCreateInstance, 5_2_00007FF6516721A0
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\updater.exe Mutant created: \Sessions\1\BaseNamedObjects\XMCBTY
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3480:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\updater.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\3630303063323963613738393232363933616536353430613835623534623531
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000003.1537819372.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1537353339.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1549159241.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1549159241.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe Virustotal: Detection: 12%
Source: file.exe ReversingLabs: Detection: 13%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe "C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe"
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Process created: C:\ProgramData\MsiSleuth\iTunesHelper.exe C:\ProgramData\MsiSleuth\iTunesHelper.exe
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MsiSleuth\iTunesHelper.exe C:\ProgramData\MsiSleuth\iTunesHelper.exe
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\more.com Process created: C:\Users\user\AppData\Local\Temp\updater.exe C:\Users\user\AppData\Local\Temp\updater.exe
Source: unknown Process created: C:\ProgramData\MsiSleuth\iTunesHelper.exe "C:\ProgramData\MsiSleuth\iTunesHelper.exe"
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\more.com Process created: C:\Users\user\AppData\Local\Temp\updater.exe C:\Users\user\AppData\Local\Temp\updater.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe "C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Process created: C:\ProgramData\MsiSleuth\iTunesHelper.exe C:\ProgramData\MsiSleuth\iTunesHelper.exe Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com Jump to behavior
Source: C:\Windows\SysWOW64\more.com Process created: C:\Users\user\AppData\Local\Temp\updater.exe C:\Users\user\AppData\Local\Temp\updater.exe Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com Jump to behavior
Source: C:\Windows\SysWOW64\more.com Process created: C:\Users\user\AppData\Local\Temp\updater.exe C:\Users\user\AppData\Local\Temp\updater.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: corefoundation.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: objc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: asl.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: libdispatch.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: libicuin.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: libicuuc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: icudt62.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: corefoundation.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: objc.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: asl.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: libdispatch.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: libicuin.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: libicuuc.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: icudt62.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: pla.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: pdh.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: tdh.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: corefoundation.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: objc.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: asl.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: libdispatch.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: libicuin.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: libicuuc.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: libicuuc.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: icudt62.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: pla.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: pdh.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: tdh.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: msftedit.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: comsvcs.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: cmlua.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: cmutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\updater.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\updater.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\updater.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\updater.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\updater.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\updater.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\updater.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\updater.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\updater.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\updater.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\updater.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\updater.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\updater.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\updater.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\updater.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: corefoundation.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: objc.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: asl.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: libdispatch.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: libicuin.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: libicuuc.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: icudt62.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: pla.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: pdh.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: tdh.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\updater.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\more.com Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\more.com File opened: C:\Windows\SysWOW64\msftedit.dll Jump to behavior
Source: file.exe Static file information: File size 1225216 > 1048576
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: iTunesHelper.exe, 00000005.00000002.2420389290.0000015931BAC000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2432754582.00007FF8FF545000.00000002.00000001.01000000.0000000F.sdmp, iTunesHelper.exe, 00000006.00000002.2443005994.00007FF8FDE05000.00000002.00000001.01000000.0000001C.sdmp
Source: Binary string: D:\BWA\3C094522-C7EC-0\objc4-528.1\srcroot\win32\x64\Release\objc.pdb44 source: file.exe, 00000000.00000003.1890920893.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2433093301.00007FF8FF5C8000.00000002.00000001.01000000.0000000A.sdmp, iTunesHelper.exe, 00000006.00000002.2442776246.00007FF8F9018000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: file.exe, 00000000.00000003.1890641798.0000000005B86000.00000004.00000800.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2431530186.00007FF8F8386000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdbGCTL source: file.exe, 00000000.00000003.1890641798.0000000005B86000.00000004.00000800.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2431530186.00007FF8F8386000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: D:\BWA\32982D95-6B3A-0\libdispatch-244.1.23\srcroot\vsprojects\Release\libdispatch.pdb source: iTunesHelper.exe, 00000005.00000002.2432917960.00007FF8FF562000.00000002.00000001.01000000.0000000B.sdmp, iTunesHelper.exe, 00000006.00000002.2442664031.00007FF8F8BC2000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: D:\BWA\6B22E293-2BF5-0\iTunesWin-1200.12.12.9.4\srcroot\iTunes\iPodSupport\(Win32)\BuildResults\Production64\bin\iTunesHelper.pdb source: iTunesHelper.exe, 00000005.00000000.2220938190.00007FF65169E000.00000002.00000001.01000000.00000007.sdmp, iTunesHelper.exe, 00000005.00000002.2430562413.00007FF65169E000.00000002.00000001.01000000.00000007.sdmp, iTunesHelper.exe, 00000006.00000000.2419996203.00007FF72C63E000.00000002.00000001.01000000.00000013.sdmp, iTunesHelper.exe, 00000006.00000002.2441252540.00007FF72C63E000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: D:\BWA\5580C191-5A7D-0\WinASL-55\srcroot\Release\x64\ASL.pdb source: iTunesHelper.exe, 00000005.00000002.2433539766.00007FF8FF5EC000.00000002.00000001.01000000.00000009.sdmp, iTunesHelper.exe, 00000006.00000002.2442904431.00007FF8F9D6C000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: ntdll.pdb source: iTunesHelper.exe, 00000005.00000002.2429944474.000001593C690000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2430172305.000001593CA90000.00000004.00000800.00020000.00000000.sdmp, iTunesHelper.exe, 00000006.00000002.2439948092.000001A671BEF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\BWA\C6C59E02-D7F8-0\ICU-62110.3.8\objroot\obj64\lib\libicuin.pdb source: iTunesHelper.exe, 00000005.00000002.2431155550.00007FF8E8358000.00000002.00000001.01000000.00000010.sdmp, iTunesHelper.exe, 00000006.00000002.2441520136.00007FF8E77B8000.00000002.00000001.01000000.00000019.sdmp
Source: Binary string: ntdll.pdbUGP source: iTunesHelper.exe, 00000005.00000002.2429944474.000001593C690000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2430172305.000001593CA90000.00000004.00000800.00020000.00000000.sdmp, iTunesHelper.exe, 00000006.00000002.2439948092.000001A671BEF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\BWA\32982D95-6B3A-0\libdispatch-244.1.23\srcroot\vsprojects\Release\libdispatch.pdb!! source: iTunesHelper.exe, 00000005.00000002.2432917960.00007FF8FF562000.00000002.00000001.01000000.0000000B.sdmp, iTunesHelper.exe, 00000006.00000002.2442664031.00007FF8F8BC2000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: D:\BWA\C5E719F6-483C-0\CF_x64-750.443\objroot\CoreFoundation.build\x64\Release\CoreFoundation.pdbvv source: file.exe, 00000000.00000003.2204000836.00000000087FE000.00000004.00000800.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2431895251.00007FF8F8578000.00000002.00000001.01000000.00000008.sdmp, iTunesHelper.exe, 00000006.00000002.2442155654.00007FF8E8158000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: D:\BWA\3C094522-C7EC-0\objc4-528.1\srcroot\win32\x64\Release\objc.pdb source: file.exe, 00000000.00000003.1890920893.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2433093301.00007FF8FF5C8000.00000002.00000001.01000000.0000000A.sdmp, iTunesHelper.exe, 00000006.00000002.2442776246.00007FF8F9018000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: D:\BWA\C5E719F6-483C-0\CF_x64-750.443\objroot\CoreFoundation.build\x64\Release\CoreFoundation.pdb source: file.exe, 00000000.00000003.2204000836.00000000087FE000.00000004.00000800.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2431895251.00007FF8F8578000.00000002.00000001.01000000.00000008.sdmp, iTunesHelper.exe, 00000006.00000002.2442155654.00007FF8E8158000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: file.exe, 00000000.00000003.1893931582.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2420389290.0000015931BAC000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2432289672.00007FF8FDE21000.00000002.00000001.01000000.0000000D.sdmp, iTunesHelper.exe, 00000006.00000002.2442558070.00007FF8F8BA1000.00000002.00000001.01000000.0000001A.sdmp, iTunesHelper.exe, 00000011.00000002.2526960989.00007FF8FDE21000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: D:\BWA\C6C59E02-D7F8-0\ICU-62110.3.8\objroot\obj64\lib\libicuuc.pdb source: file.exe, 00000000.00000003.1890147478.0000000005B80000.00000004.00000800.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2432542835.00007FF8FDF05000.00000002.00000001.01000000.0000000C.sdmp, iTunesHelper.exe, 00000006.00000002.2441842650.00007FF8E7965000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: file.exe, 00000000.00000003.1893931582.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2420389290.0000015931BAC000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2432289672.00007FF8FDE21000.00000002.00000001.01000000.0000000D.sdmp, iTunesHelper.exe, 00000006.00000002.2442558070.00007FF8F8BA1000.00000002.00000001.01000000.0000001A.sdmp, iTunesHelper.exe, 00000011.00000002.2526960989.00007FF8FDE21000.00000002.00000001.01000000.0000001A.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: iTunesHelper.exe, 00000005.00000002.2420389290.0000015931BAC000.00000004.00000020.00020000.00000000.sdmp, iTunesHelper.exe, 00000005.00000002.2432754582.00007FF8FF545000.00000002.00000001.01000000.0000000F.sdmp, iTunesHelper.exe, 00000006.00000002.2443005994.00007FF8FDE05000.00000002.00000001.01000000.0000001C.sdmp
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: vcruntime140.dll.0.dr Static PE information: 0xC94BF788 [Wed Jan 6 22:49:44 2077 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651678AB0 LoadLibraryW,GetProcAddress,FreeLibrary, 5_2_00007FF651678AB0
PE file contains an invalid checksum
Source: mkkmikiccu.18.dr Static PE information: real checksum: 0x0 should be: 0x5ae6e6
Source: ubtqn.7.dr Static PE information: real checksum: 0x0 should be: 0x5ae6e6
Source: file.exe Static PE information: real checksum: 0x76467 should be: 0x135256
PE file contains sections with non-standard names
Source: objc.dll.0.dr Static PE information: section name: .objc_im
Source: vcruntime140.dll.0.dr Static PE information: section name: _RDATA
Source: CoreFoundation.dll.0.dr Static PE information: section name: .objc_im
Source: CoreFoundation.dll.0.dr Static PE information: section name: .00cfg
Source: CoreFoundation.dll.5.dr Static PE information: section name: .objc_im
Source: CoreFoundation.dll.5.dr Static PE information: section name: .00cfg
Source: ubtqn.7.dr Static PE information: section name: .symtab
Source: ubtqn.7.dr Static PE information: section name: klnp
Source: mkkmikiccu.18.dr Static PE information: section name: .symtab
Source: mkkmikiccu.18.dr Static PE information: section name: klnp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E982ED pushad ; iretd 0_3_00E9841D
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00EA92BA push esp; retf 0_3_00EA92D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E4B6F7 push cs; iretd 0_3_00E4B6F8
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E422B4 push esi; ret 0_3_00E423C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00EA92BA push esp; retf 0_3_00EA92D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00EA92BA push esp; retf 0_3_00EA92D0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF6516B50E0 push rbx; retf 5_2_00007FF6516B50E1
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E81EDF32 push rcx; ret 5_2_00007FF8E81EDF33
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F836D5EA push rdx; retf 5_2_00007FF8F836D5EB
Drops PE files
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Local\Temp\mkkmikiccu Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\ASL.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\libicuuc.dll Jump to dropped file
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Local\Temp\updater.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\objc.dll Jump to dropped file
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Local\Temp\ubtqn Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\CoreFoundation.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\vcruntime140_1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe File created: C:\ProgramData\MsiSleuth\CoreFoundation.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe File created: C:\ProgramData\MsiSleuth\ASL.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\vcruntime140.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe File created: C:\ProgramData\MsiSleuth\CoreFoundation.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe File created: C:\ProgramData\MsiSleuth\ASL.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Local\Temp\ubtqn Jump to dropped file
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Local\Temp\mkkmikiccu Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Windows\SysWOW64\more.com Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\UBTQN
Source: C:\Windows\SysWOW64\more.com Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\MKKMIKICCU
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\updater.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\file.exe System information queried: FirmwareTableInformation Jump to behavior
Switches to a custom stack to bypass stack traces
Source: C:\Windows\SysWOW64\more.com API/Special instruction interceptor: Address: 6CDF3B54
Source: C:\Users\user\AppData\Local\Temp\updater.exe API/Special instruction interceptor: Address: D594E9
Contains functionality to read device registry values (via SetupAPI)
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651675510 SetupDiGetClassDevsW,SetupDiEnumDeviceInterfaces,SetupDiGetDeviceInterfaceDetailW,SetupDiGetDeviceInterfaceDetailW,SetupDiGetDeviceRegistryPropertyW,SetupDiDestroyDeviceInfoList, 5_2_00007FF651675510
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\more.com Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mkkmikiccu Jump to dropped file
Source: C:\Windows\SysWOW64\more.com Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ubtqn Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7424 Thread sleep time: -240000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\updater.exe File opened: PhysicalDrive0 Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF6516943C4 FindFirstFileExW, 5_2_00007FF6516943C4
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651674790 WideCharToMultiByte,WideCharToMultiByte,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindNextFileW,FindClose, 5_2_00007FF651674790
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F833A260 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn, 5_2_00007FF8F833A260
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651680AC0 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect, 5_2_00007FF651680AC0
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696497155j
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696497155
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: file.exe, file.exe, 00000000.00000003.1889308902.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1601639777.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1616254996.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1615503549.0000000000E34000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: file.exe, 00000000.00000003.1889308902.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1601639777.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1616254996.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1615503549.0000000000E34000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW*
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696497155o
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: file.exe, 00000000.00000003.1548715300.0000000000F61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696497155p
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696497155
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696497155f
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696497155s
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: file.exe, 00000000.00000003.1548715300.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651679A08 GetLastError,IsDebuggerPresent,OutputDebugStringW, 5_2_00007FF651679A08
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651679A08 GetLastError,IsDebuggerPresent,OutputDebugStringW, 5_2_00007FF651679A08
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651678AB0 LoadLibraryW,GetProcAddress,FreeLibrary, 5_2_00007FF651678AB0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651695E3C GetProcessHeap, 5_2_00007FF651695E3C
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF65167A2F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00007FF65167A2F0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF65167ACA4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00007FF65167ACA4
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF65167AE8C SetUnhandledExceptionFilter, 5_2_00007FF65167AE8C
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF65168D8B8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00007FF65168D8B8
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8E83172B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00007FF8E83172B0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF8F83834B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00007FF8F83834B4

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtProtectVirtualMemory: Direct from: 0x7FF8F7EF94F5 Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtQuerySystemInformation: Direct from: 0x94E6D6D8E8 Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtAllocateVirtualMemory: Direct from: 0x2230FBECEB0 Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtClose: Direct from: 0x204AB30DC80
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtClose: Direct from: 0x1A667041460
Source: C:\Users\user\AppData\Local\Temp\updater.exe NtDeviceIoControlFile: Direct from: 0x107290A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\updater.exe NtProtectVirtualMemory: Direct from: 0x77537B2E Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtQuerySystemInformation: Direct from: 0xA62511D388 Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtCreateFile: Direct from: 0xF830FB9C Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\updater.exe NtAllocateVirtualMemory: Direct from: 0xD5A7A6 Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtAllocateVirtualMemory: Direct from: 0x7FF8F7EF9635 Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtAllocateVirtualMemory: Direct from: 0x110 Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtAllocateVirtualMemory: Direct from: 0x204AB30C080 Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtAllocateVirtualMemory: Direct from: 0x7FF9A0A76ACB Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtQuerySystemInformation: Direct from: 0x7FF840CB21D3 Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtCreateNamedPipeFile: Direct from: 0x10 Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtQuerySystemInformation: Direct from: 0x22300000000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\updater.exe NtCreateFile: Direct from: 0xD59873 Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtQuerySystemInformation: Direct from: 0x1A600000000 Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtClose: Direct from: 0x2230FBEE010
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtCreateFile: Direct from: 0xFC9AEE76 Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtQuerySystemInformation: Direct from: 0x20400000000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\updater.exe NtCreateMutant: Direct from: 0xD59D29 Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtAllocateVirtualMemory: Direct from: 0x1A66703D1A0 Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtAllocateVirtualMemory: Direct from: 0x1 Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtClose: Direct from: 0x2
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtProtectVirtualMemory: Direct from: 0x3 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\updater.exe NtClose: Direct from: 0xD59D53
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtProtectVirtualMemory: Direct from: 0x6C006C Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtQuerySystemInformation: Direct from: 0x9370BAD708 Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtCreateFile: Direct from: 0xF9E624E2 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe NtQuerySystemInformation: Direct from: 0x2A486FD260 Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe NtAllocateVirtualMemory: Direct from: 0x1A67147E198 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\more.com Memory written: C:\Users\user\AppData\Local\Temp\updater.exe base: D56B92 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Memory written: C:\Users\user\AppData\Local\Temp\updater.exe base: E97008 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Memory written: C:\Users\user\AppData\Local\Temp\updater.exe base: D56B92 Jump to behavior
Source: C:\Windows\SysWOW64\more.com Memory written: C:\Users\user\AppData\Local\Temp\updater.exe base: 10F7008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com Jump to behavior
Source: C:\Windows\SysWOW64\more.com Process created: C:\Users\user\AppData\Local\Temp\updater.exe C:\Users\user\AppData\Local\Temp\updater.exe Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com Jump to behavior
Source: C:\ProgramData\MsiSleuth\iTunesHelper.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com Jump to behavior
Source: C:\Windows\SysWOW64\more.com Process created: C:\Users\user\AppData\Local\Temp\updater.exe C:\Users\user\AppData\Local\Temp\updater.exe Jump to behavior
Source: file.exe, 00000000.00000000.1353085372.0000000000785000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1510662930.00000000042A2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF65169BE00 cpuid 5_2_00007FF65169BE00
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoEx,uprv_malloc,GetLocaleInfoEx,uprv_malloc,GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoEx,uprv_malloc,GetLocaleInfoEx, 5_2_00007FF8E8314080
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoEx,uprv_malloc,GetLocaleInfoEx,uprv_malloc,GetLocaleInfoEx,GetLocaleInfoEx, 5_2_00007FF8E83141F0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: ___lc_locale_name_func,GetLocaleInfoEx, 5_2_00007FF8F835F4F0
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: GetLocaleInfoEx,FormatMessageA, 5_2_00007FF8F834285C
Queries device information via Setup API
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651675510 SetupDiGetClassDevsW,SetupDiEnumDeviceInterfaces,SetupDiGetDeviceInterfaceDetailW,SetupDiGetDeviceInterfaceDetailW,SetupDiGetDeviceRegistryPropertyW,SetupDiDestroyDeviceInfoList, 5_2_00007FF651675510
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF65167AEF8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 5_2_00007FF65167AEF8
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651671310 GetUserNameA,CreateEventA,GetLastError,CloseHandle,CoInitialize,GetModuleHandleA,GetCommandLineA,CoUninitialize,CloseHandle, 5_2_00007FF651671310
Source: C:\Users\user\AppData\Local\Temp\E96ZE7LZSTDFEIZEXRL4MLG397V\iTunesHelper.exe Code function: 5_2_00007FF651692CD0 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 5_2_00007FF651692CD0
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: file.exe, file.exe, 00000000.00000003.1616148463.0000000000ED0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1889206855.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1616189895.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1625391656.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1625541305.0000000000ED0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7272, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe String found in binary or memory: *electrum*
Source: file.exe String found in binary or memory: s/ElectronCash
Source: file.exe String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: file.exe String found in binary or memory: window-state.json
Source: file.exe String found in binary or memory: *exodus*
Source: file.exe String found in binary or memory: *ethereum*
Source: file.exe String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\AFWAAFRXKO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\AFWAAFRXKO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\JSDNGYCOWY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\JSDNGYCOWY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\AFWAAFRXKO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\AFWAAFRXKO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\AFWAAFRXKO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\MNULNCRIYC Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PSAMNLJHZW Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PSAMNLJHZW Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\TQDGENUHWP Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\TQDGENUHWP Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\TQDGENUHWP Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\WKXEWIOTXI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\WKXEWIOTXI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\TQDGENUHWP Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\TQDGENUHWP Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\UOOJJOZIRH Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\AFWAAFRXKO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\AFWAAFRXKO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\TQDGENUHWP Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\TQDGENUHWP Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000003.1601639777.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1615503549.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1601418578.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7272, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7272, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1604558 Sample: file.exe Startdate: 01/02/2025 Architecture: WINDOWS Score: 100 64 u2.servicelandingkaraoke.shop 2->64 66 toppyneedus.biz 2->66 68 5 other IPs or domains 2->68 78 Suricata IDS alerts for network traffic 2->78 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 9 other signatures 2->84 10 file.exe 14 2->10         started        15 iTunesHelper.exe 1 2->15         started        17 iTunesHelper.exe 1 2->17         started        signatures3 process4 dnsIp5 74 toppyneedus.biz 104.21.29.142, 443, 49810, 49816 CLOUDFLARENETUS United States 10->74 76 u2.servicelandingkaraoke.shop 188.114.97.3, 443, 49891 CLOUDFLARENETUS European Union 10->76 56 C:\Users\user\AppData\Local\Temp\...\objc.dll, PE32+ 10->56 dropped 58 C:\Users\user\AppData\Local\...\libicuuc.dll, PE32+ 10->58 dropped 60 C:\Users\user\AppData\...\CoreFoundation.dll, PE32+ 10->60 dropped 62 4 other files (1 malicious) 10->62 dropped 104 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->104 106 Query firmware table information (likely to detect VMs) 10->106 108 Binary is likely a compiled AutoIt script file 10->108 114 3 other signatures 10->114 19 iTunesHelper.exe 14 10->19         started        110 Maps a DLL or memory area into another process 15->110 112 Found direct / indirect Syscall (likely to bypass EDR) 15->112 23 more.com 2 15->23         started        25 more.com 1 17->25         started        file6 signatures7 process8 file9 46 C:\ProgramData\MsiSleuth\CoreFoundation.dll, PE32+ 19->46 dropped 48 C:\ProgramData\MsiSleuth\ASL.dll, PE32+ 19->48 dropped 86 Found direct / indirect Syscall (likely to bypass EDR) 19->86 27 iTunesHelper.exe 1 19->27         started        50 C:\Users\user\AppData\Local\Temp\mkkmikiccu, PE32 23->50 dropped 88 Writes to foreign memory regions 23->88 30 updater.exe 23->30         started        32 conhost.exe 23->32         started        34 conhost.exe 25->34         started        signatures10 process11 signatures12 100 Maps a DLL or memory area into another process 27->100 102 Found direct / indirect Syscall (likely to bypass EDR) 27->102 36 more.com 3 27->36         started        process13 file14 52 C:\Users\user\AppData\Local\...\updater.exe, PE32 36->52 dropped 54 C:\Users\user\AppData\Local\Temp\ubtqn, PE32 36->54 dropped 90 Writes to foreign memory regions 36->90 92 Found hidden mapped module (file has been removed from disk) 36->92 94 Switches to a custom stack to bypass stack traces 36->94 40 updater.exe 36->40         started        44 conhost.exe 36->44         started        signatures15 process16 dnsIp17 70 steamcommunity.com 23.197.127.21, 443, 60729, 60730 AKAMAI-ASN1EU United States 40->70 72 127.0.0.1 unknown unknown 40->72 96 Switches to a custom stack to bypass stack traces 40->96 98 Found direct / indirect Syscall (likely to bypass EDR) 40->98 signatures18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.97.3
 u2.servicelandingkaraoke.shop European Union
13335 CLOUDFLARENETUS false
104.21.29.142
 toppyneedus.biz United States
13335 CLOUDFLARENETUS false
23.197.127.21
 steamcommunity.com United States
20940 AKAMAI-ASN1EU false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
u2.servicelandingkaraoke.shop 188.114.97.3 true
steamcommunity.com 23.197.127.21 true
s-part-0033.t-0009.t-msedge.net 13.107.246.61 true
toppyneedus.biz 104.21.29.142 true
cegu.shop unknown unknown
18.31.95.13.in-addr.arpa unknown unknown
entrepreneurstop.top unknown unknown
guardeduppe.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://steamcommunity.com/profiles/76561198446647282 false
    		high
    https://u2.servicelandingkaraoke.shop/cp_sh.eml false
    • Avira URL Cloud: malware
    		 unknown
    https://toppyneedus.biz/api false
      		high
      https://steamcommunity.com/profiles/76561198803575301 false
        		high