Windows Analysis Report
2q45IEa3Ee.exe

Overview

General Information

Sample name: 2q45IEa3Ee.exe
renamed because original name is a hash value
Original sample name: 4a36fa7c0ccbc6842c541a6439ab545a.exe
Analysis ID: 1429253
MD5: 4a36fa7c0ccbc6842c541a6439ab545a
SHA1: 9257009dd59ac4db2518293bcd46be058d937284
SHA256: ca9b2380df90ac17d8c042db4ab442ffad68cc52cd2e557d855f7d571469198f
Tags: 32exetrojan
Infos:

Detection

LummaC, RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected LummaC Stealer
Yara detected RisePro Stealer
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Avira: detection malicious, Label: TR/AD.Nekark.sbdpe
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Avira: detection malicious, Label: TR/AD.Nekark.sbdpe
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Avira: detection malicious, Label: TR/AD.Nekark.sbdpe
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lumma1504[1].exe Avira: detection malicious, Label: TR/AD.Nekark.sbdpe
Found malware configuration
Source: 7.2.RegAsm.exe.400000.0.raw.unpack Malware Configuration Extractor: LummaC {"C2 url": ["wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "bordersoarmanusjuw.shop"], "Build id": "H8NgCl--"}
Multi AV Scanner detection for domain / URL
Source: https://bordersoarmanusjuw.shop:443/api Virustotal: Detection: 16% Perma Link
Source: https://bordersoarmanusjuw.shop/ Virustotal: Detection: 16% Perma Link
Source: https://bordersoarmanusjuw.shop/api Virustotal: Detection: 16% Perma Link
Source: https://bordersoarmanusjuw.shop/api( Virustotal: Detection: 8% Perma Link
Source: https://bordersoarmanusjuw.shop/0 Virustotal: Detection: 9% Perma Link
Source: https://bordersoarmanusjuw.shop/# Virustotal: Detection: 16% Perma Link
Source: mealplayerpreceodsju.shop Virustotal: Detection: 18% Perma Link
Source: economicscreateojsu.shop Virustotal: Detection: 13% Perma Link
Source: https://bordersoarmanusjuw.shop/api$ Virustotal: Detection: 13% Perma Link
Source: http://193.233.132.253/lumma1504.exe Virustotal: Detection: 22% Perma Link
Source: https://bordersoarmanusjuw.shop/apie Virustotal: Detection: 15% Perma Link
Source: https://bordersoarmanusjuw.shop/apir Virustotal: Detection: 13% Perma Link
Source: entitlementappwo.shop Virustotal: Detection: 17% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe ReversingLabs: Detection: 91%
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Virustotal: Detection: 77% Perma Link
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Virustotal: Detection: 77% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lumma1504[1].exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lumma1504[1].exe Virustotal: Detection: 77% Perma Link
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Virustotal: Detection: 77% Perma Link
Multi AV Scanner detection for submitted file
Source: 2q45IEa3Ee.exe Virustotal: Detection: 23% Perma Link
Source: 2q45IEa3Ee.exe ReversingLabs: Detection: 28%
Machine Learning detection for dropped file
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lumma1504[1].exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000007.00000002.1920199999.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: wifeplasterbakewis.shop
Source: 00000007.00000002.1920199999.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: mealplayerpreceodsju.shop
Source: 00000007.00000002.1920199999.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: bordersoarmanusjuw.shop
Source: 00000007.00000002.1920199999.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: suitcaseacanehalk.shop
Source: 00000007.00000002.1920199999.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: absentconvicsjawun.shop
Source: 00000007.00000002.1920199999.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: pushjellysingeywus.shop
Source: 00000007.00000002.1920199999.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: economicscreateojsu.shop
Source: 00000007.00000002.1920199999.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: entitlementappwo.shop
Source: 00000007.00000002.1920199999.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: bordersoarmanusjuw.shop
Source: 00000007.00000002.1920199999.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000007.00000002.1920199999.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000007.00000002.1920199999.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000007.00000002.1920199999.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000007.00000002.1920199999.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000007.00000002.1920199999.0000000000400000.00000040.00000400.00020000.00000000.sdmp String decryptor: H8NgCl--
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00415B57 CryptUnprotectData, 7_2_00415B57
Uses 32bit PE files
Source: 2q45IEa3Ee.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: Binary string: C:\ka7c6p6\obj\Release\Question.pdbT2n2 `2_CorExeMainmscoree.dll source: MSIUpdaterV202.exe.0.dr, AdobeUpdaterV202.exe.0.dr, oRkIPIEeryat7GMgjkBr.exe.0.dr, lumma1504[1].exe.0.dr
Source: Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: 2q45IEa3Ee.exe
Source: Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdbP@n@ `@_CorExeMainmscoree.dll source: 2q45IEa3Ee.exe
Source: Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: 2q45IEa3Ee.exe
Source: Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb,ANA @A_CorExeMainmscoree.dll source: 2q45IEa3Ee.exe
Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: 2q45IEa3Ee.exe, 2q45IEa3Ee.exe, 00000000.00000002.1877085413.0000000000E70000.00000040.00000001.01000000.00000003.sdmp
Source: Binary string: C:\ka7c6p6\obj\Release\Question.pdb source: MSIUpdaterV202.exe.0.dr, AdobeUpdaterV202.exe.0.dr, oRkIPIEeryat7GMgjkBr.exe.0.dr, lumma1504[1].exe.0.dr
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: number of queries: 2357
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00D52870 FindFirstFileA,FindNextFileA,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_00D52870
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00C8C82B FindFirstFileExW,GetLastError, 0_2_00C8C82B
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esi+70h] 7_2_00417239
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov edx, dword ptr [esp+00000080h] 7_2_004212B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esi] 7_2_00415390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then inc ebx 7_2_00421670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esp+08h] 7_2_0043B800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esp+0Ch] 7_2_00435ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov eax, dword ptr [esp+10h] 7_2_00409D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov edx, dword ptr [esp+0Ch] 7_2_0043AE30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 18DC7455h 7_2_00421F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp ecx 7_2_0041403B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then test edi, edi 7_2_0043A0D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 7_2_00432140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esp+18h] 7_2_0041D128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov edx, dword ptr [esi+000001C0h] 7_2_00424240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], dx 7_2_00415216
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov edx, dword ptr [esp+04h] 7_2_0043822F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movsx ecx, byte ptr [esi+eax] 7_2_0040D2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], dx 7_2_0041B2A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then xor eax, eax 7_2_00439461
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov edx, dword ptr [esp+0Ch] 7_2_0043B470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esi+000000F0h] 7_2_0041347E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esp+04h] 7_2_004384D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 7_2_004025E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then jmp ecx 7_2_00416582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then inc ebx 7_2_004216CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then not ecx 7_2_004176E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 0AB35B01h 7_2_00413722
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esi+00000180h] 7_2_00411739
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 7_2_0040F7CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then cmp word ptr [esi+edi+02h], 0000h 7_2_0041B930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], cx 7_2_0043799B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 7_2_00416A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esi+70h] 7_2_00417A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edx], al 7_2_00422B54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [edx], al 7_2_00422B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov word ptr [eax], cx 7_2_00417BF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esi+000008A0h] 7_2_0041FBB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov dword ptr [esi+00000600h], 00000000h 7_2_00410C5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov byte ptr [ecx], al 7_2_00416E69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then push edi 7_2_0040FED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov dword ptr [esi+00000600h], 00000000h 7_2_00410F4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then inc ebx 7_2_00414F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then mov ecx, dword ptr [esi+000008A0h] 7_2_0041EF19

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49732 -> 193.233.132.253:50500
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.253:50500 -> 192.168.2.4:49732
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 193.233.132.253:50500
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 193.233.132.253:50500 -> 192.168.2.4:49732
Source: Traffic Snort IDS: 2052033 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (bordersoarmanusjuw .shop) 192.168.2.4:52093 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49742 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49743 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49744 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49745 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49746 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49747 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49748 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49749 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49750 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49751 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49752 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49753 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49754 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49755 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49756 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49757 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49758 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49759 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49760 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49761 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49762 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49763 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49764 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49765 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49766 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49767 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49768 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49769 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49770 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49771 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49772 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49773 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49774 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49775 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49776 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49777 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49778 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49779 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49780 -> 172.67.189.66:443
Source: Traffic Snort IDS: 2052042 ET TROJAN Observed Lumma Stealer Related Domain (bordersoarmanusjuw .shop in TLS SNI) 192.168.2.4:49781 -> 172.67.189.66:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: wifeplasterbakewis.shop
Source: Malware configuration extractor URLs: mealplayerpreceodsju.shop
Source: Malware configuration extractor URLs: bordersoarmanusjuw.shop
Source: Malware configuration extractor URLs: suitcaseacanehalk.shop
Source: Malware configuration extractor URLs: absentconvicsjawun.shop
Source: Malware configuration extractor URLs: pushjellysingeywus.shop
Source: Malware configuration extractor URLs: economicscreateojsu.shop
Source: Malware configuration extractor URLs: entitlementappwo.shop
Source: Malware configuration extractor URLs: bordersoarmanusjuw.shop
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49732 -> 193.233.132.253:50500
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 104.26.5.15 104.26.5.15
Source: Joe Sandbox View IP Address: 193.233.132.253 193.233.132.253
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18158Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18158Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18158Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8779Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8779Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8779Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7091Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1411Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7091Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7091Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1411Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1411Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 584825Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 584853Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 585358Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18158Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8779Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7091Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1412Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 584522Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 49Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18158Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8779Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7091Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1388Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 591259Host: bordersoarmanusjuw.shop
Source: global traffic HTTP traffic detected: HEAD /lumma1504.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.253Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /lumma1504.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.253Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.253
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00D32890 recv,setsockopt, 0_2_00D32890
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /lumma1504.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.253Cache-Control: no-cache
Source: unknown DNS traffic detected: queries for: ipinfo.io
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: bordersoarmanusjuw.shop
Source: 2q45IEa3Ee.exe, 00000000.00000002.1877753884.00000000017E5000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1842940469.0000000005FF0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.253/lumma1504.exe
Source: 2q45IEa3Ee.exe, 00000000.00000002.1877753884.00000000017E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.253/lumma1504.exedser
Source: 2q45IEa3Ee.exe, 00000000.00000002.1877753884.00000000017E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.253/lumma1504.exesw
Source: 2q45IEa3Ee.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 2q45IEa3Ee.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 2q45IEa3Ee.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: 2q45IEa3Ee.exe, 00000000.00000002.1876906597.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: 2q45IEa3Ee.exe, 00000000.00000003.1812931401.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1815262466.0000000005FFF000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1811745370.0000000005FC0000.00000004.00000020.00020000.00000000.sdmp, _TP0jqeyFqX_Web Data.0.dr, PGpLy2WBlLFSWeb Data.0.dr, y_CqgZq8h7seWeb Data.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, RegAsm.exe, 0000000B.00000002.1939197101.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1939197101.000000000071D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2048327163.00000000014EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bordersoarmanusjuw.shop/
Source: RegAsm.exe, 0000000A.00000002.1936828284.00000000037E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bordersoarmanusjuw.shop/#
Source: RegAsm.exe, 0000000A.00000002.1936237566.000000000162F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bordersoarmanusjuw.shop/&Y
Source: RegAsm.exe, 00000011.00000002.2130384793.0000000001576000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bordersoarmanusjuw.shop/0
Source: RegAsm.exe, 00000011.00000002.2130384793.00000000015C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bordersoarmanusjuw.shop/O
Source: RegAsm.exe, 00000011.00000002.2130384793.0000000001576000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bordersoarmanusjuw.shop/San
Source: RegAsm.exe, 00000011.00000002.2130384793.00000000015C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bordersoarmanusjuw.shop/Xavf
Source: RegAsm.exe, RegAsm.exe, 0000000B.00000002.1939197101.000000000071D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1939197101.0000000000785000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2049332296.000000000358C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2048327163.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2048327163.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2130384793.00000000015C9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2130384793.0000000001576000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2131175305.0000000003840000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bordersoarmanusjuw.shop/api
Source: RegAsm.exe, 00000007.00000002.1920835027.00000000014BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bordersoarmanusjuw.shop/api$
Source: RegAsm.exe, 0000000A.00000002.1936237566.00000000015CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bordersoarmanusjuw.shop/api(
Source: RegAsm.exe, 00000011.00000002.2131175305.0000000003840000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bordersoarmanusjuw.shop/apiM
Source: RegAsm.exe, 0000000A.00000002.1936237566.000000000162F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bordersoarmanusjuw.shop/apiVY
Source: RegAsm.exe, 0000000B.00000002.1939197101.00000000006DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bordersoarmanusjuw.shop/apie
Source: RegAsm.exe, 00000007.00000002.1920616270.000000000140A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bordersoarmanusjuw.shop/apir
Source: RegAsm.exe, 0000000B.00000002.1939197101.00000000006DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bordersoarmanusjuw.shop/es)
Source: RegAsm.exe, 0000000F.00000002.2048327163.00000000014B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bordersoarmanusjuw.shop/k9
Source: RegAsm.exe, 00000011.00000002.2130384793.0000000001576000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bordersoarmanusjuw.shop/ll
Source: RegAsm.exe, 0000000B.00000002.1939197101.0000000000795000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bordersoarmanusjuw.shop/pi
Source: RegAsm.exe, 00000007.00000002.1920616270.00000000013CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bordersoarmanusjuw.shop/piable
Source: RegAsm.exe, 00000011.00000002.2130384793.0000000001576000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bordersoarmanusjuw.shop/rx
Source: RegAsm.exe, 0000000F.00000002.2048327163.00000000014EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bordersoarmanusjuw.shop/y
Source: RegAsm.exe, 00000011.00000002.2130384793.000000000156B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bordersoarmanusjuw.shop:443/api
Source: RegAsm.exe, 0000000A.00000002.1936237566.0000000001580000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bordersoarmanusjuw.shop:443/apiSID
Source: 2q45IEa3Ee.exe, 00000000.00000003.1812931401.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1815262466.0000000005FFF000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1811745370.0000000005FC0000.00000004.00000020.00020000.00000000.sdmp, _TP0jqeyFqX_Web Data.0.dr, PGpLy2WBlLFSWeb Data.0.dr, y_CqgZq8h7seWeb Data.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 2q45IEa3Ee.exe, 00000000.00000003.1812931401.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1815262466.0000000005FFF000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1811745370.0000000005FC0000.00000004.00000020.00020000.00000000.sdmp, _TP0jqeyFqX_Web Data.0.dr, PGpLy2WBlLFSWeb Data.0.dr, y_CqgZq8h7seWeb Data.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 2q45IEa3Ee.exe, 00000000.00000003.1812931401.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1815262466.0000000005FFF000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1811745370.0000000005FC0000.00000004.00000020.00020000.00000000.sdmp, _TP0jqeyFqX_Web Data.0.dr, PGpLy2WBlLFSWeb Data.0.dr, y_CqgZq8h7seWeb Data.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 2q45IEa3Ee.exe, 00000000.00000002.1877753884.00000000017E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: 2q45IEa3Ee.exe, 00000000.00000002.1877753884.00000000017E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52
Source: 2q45IEa3Ee.exe, 00000000.00000002.1877753884.00000000017E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52
Source: 2q45IEa3Ee.exe, 00000000.00000003.1812931401.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1815262466.0000000005FFF000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1811745370.0000000005FC0000.00000004.00000020.00020000.00000000.sdmp, _TP0jqeyFqX_Web Data.0.dr, PGpLy2WBlLFSWeb Data.0.dr, y_CqgZq8h7seWeb Data.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 2q45IEa3Ee.exe, 00000000.00000003.1812931401.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1815262466.0000000005FFF000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1811745370.0000000005FC0000.00000004.00000020.00020000.00000000.sdmp, _TP0jqeyFqX_Web Data.0.dr, PGpLy2WBlLFSWeb Data.0.dr, y_CqgZq8h7seWeb Data.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 2q45IEa3Ee.exe, 00000000.00000003.1812931401.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1815262466.0000000005FFF000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1811745370.0000000005FC0000.00000004.00000020.00020000.00000000.sdmp, _TP0jqeyFqX_Web Data.0.dr, PGpLy2WBlLFSWeb Data.0.dr, y_CqgZq8h7seWeb Data.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 2q45IEa3Ee.exe, 2q45IEa3Ee.exe, 00000000.00000002.1877753884.00000000017AB000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000002.1877753884.00000000017E5000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000002.1877753884.0000000001767000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: 2q45IEa3Ee.exe, 00000000.00000003.1627570903.00000000016F0000.00000004.00001000.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000002.1876906597.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://ipinfo.io/Content-Type:
Source: 2q45IEa3Ee.exe, 00000000.00000002.1877753884.00000000017D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/L
Source: 2q45IEa3Ee.exe, 00000000.00000002.1877753884.0000000001767000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: 2q45IEa3Ee.exe, 00000000.00000002.1877753884.00000000017AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/s
Source: 2q45IEa3Ee.exe, 00000000.00000002.1877753884.00000000017B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52
Source: 2q45IEa3Ee.exe, 00000000.00000002.1877753884.00000000017DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52/0
Source: 2q45IEa3Ee.exe, 00000000.00000002.1877753884.00000000017DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52
Source: 2q45IEa3Ee.exe String found in binary or memory: https://sectigo.com/CPS0
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: 2q45IEa3Ee.exe, 00000000.00000003.1812141315.0000000005FBF000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1814756856.0000000005FDD000.00000004.00000020.00020000.00000000.sdmp, 4yAbYkouo2kFHistory.0.dr, SMhcoWrJBtJiHistory.0.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: 4yAbYkouo2kFHistory.0.dr, SMhcoWrJBtJiHistory.0.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: 2q45IEa3Ee.exe, 00000000.00000003.1812141315.0000000005FBF000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1814756856.0000000005FDD000.00000004.00000020.00020000.00000000.sdmp, 4yAbYkouo2kFHistory.0.dr, SMhcoWrJBtJiHistory.0.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: 4yAbYkouo2kFHistory.0.dr, SMhcoWrJBtJiHistory.0.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: uw5Stgma3gbM9Xo4g_6cCoQ.zip.0.dr String found in binary or memory: https://t.me/RiseProSUPPORT
Source: 2q45IEa3Ee.exe, 00000000.00000002.1877753884.00000000017E5000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1821067278.0000000006026000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr String found in binary or memory: https://t.me/risepro_bot
Source: 2q45IEa3Ee.exe, 00000000.00000002.1877753884.00000000017E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot.52igY
Source: 2q45IEa3Ee.exe, 00000000.00000002.1877753884.00000000017E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botrisepro8Y
Source: 2q45IEa3Ee.exe, 00000000.00000003.1812931401.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1815262466.0000000005FFF000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1811745370.0000000005FC0000.00000004.00000020.00020000.00000000.sdmp, _TP0jqeyFqX_Web Data.0.dr, PGpLy2WBlLFSWeb Data.0.dr, y_CqgZq8h7seWeb Data.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: 2q45IEa3Ee.exe, 00000000.00000003.1812931401.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1815262466.0000000005FFF000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1811745370.0000000005FC0000.00000004.00000020.00020000.00000000.sdmp, _TP0jqeyFqX_Web Data.0.dr, PGpLy2WBlLFSWeb Data.0.dr, y_CqgZq8h7seWeb Data.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 2q45IEa3Ee.exe, 2q45IEa3Ee.exe, 00000000.00000003.1627570903.00000000016F0000.00000004.00001000.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000002.1876906597.0000000000DC2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: 2q45IEa3Ee.exe, 00000000.00000003.1820881268.0000000005FEA000.00000004.00000020.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000002.1877753884.00000000017E5000.00000004.00000020.00020000.00000000.sdmp, Firefox_fqs92o4p.default-release.txt.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: 2q45IEa3Ee.exe, 00000000.00000002.1878839470.0000000005FA7000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 2q45IEa3Ee.exe, 00000000.00000002.1877753884.00000000017E5000.00000004.00000020.00020000.00000000.sdmp, Firefox_fqs92o4p.default-release.txt.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: 2q45IEa3Ee.exe, 00000000.00000002.1878839470.0000000005FA7000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 2q45IEa3Ee.exe, 00000000.00000002.1877753884.00000000017E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/tataX
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.189.66:443 -> 192.168.2.4:49781 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_0042DDE0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 7_2_0042DDE0
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_0042DDE0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 7_2_0042DDE0

System Summary
barindex
.NET source code contains very large array initializations
Source: lumma1504[1].exe.0.dr, RemoteObjects.cs Large array initialization: RemoteObjects: array initializer size 307200
Source: oRkIPIEeryat7GMgjkBr.exe.0.dr, RemoteObjects.cs Large array initialization: RemoteObjects: array initializer size 307200
Source: AdobeUpdaterV202.exe.0.dr, RemoteObjects.cs Large array initialization: RemoteObjects: array initializer size 307200
Source: MSIUpdaterV202.exe.0.dr, RemoteObjects.cs Large array initialization: RemoteObjects: array initializer size 307200
PE file contains section with special chars
Source: 2q45IEa3Ee.exe Static PE information: section name:
Source: 2q45IEa3Ee.exe Static PE information: section name:
Source: 2q45IEa3Ee.exe Static PE information: section name:
Source: 2q45IEa3Ee.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00C9A8BD 0_2_00C9A8BD
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00CBB010 0_2_00CBB010
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00CBA790 0_2_00CBA790
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDC8DC 0_2_00FDC8DC
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDC0D0 0_2_00FDC0D0
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00D5C0A0 0_2_00D5C0A0
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00C8A040 0_2_00C8A040
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00CAF050 0_2_00CAF050
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00C971F0 0_2_00C971F0
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDC1BF 0_2_00FDC1BF
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDD99D 0_2_00FDD99D
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDBA91 0_2_00FDBA91
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00C91A30 0_2_00C91A30
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00C9ABFF 0_2_00C9ABFF
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00CA8314 0_2_00CA8314
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FE4CA4 0_2_00FE4CA4
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00D5F450 0_2_00D5F450
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00CB3450 0_2_00CB3450
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FE45A2 0_2_00FE45A2
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FE3D89 0_2_00FE3D89
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00C80DB0 0_2_00C80DB0
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FE056D 0_2_00FE056D
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FE3D1D 0_2_00FE3D1D
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDCEA0 0_2_00FDCEA0
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00CACEA1 0_2_00CACEA1
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDB75B 0_2_00FDB75B
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Code function: 6_2_01160A31 6_2_01160A31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00425183 7_2_00425183
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00421670 7_2_00421670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00415B57 7_2_00415B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00404C40 7_2_00404C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00421F80 7_2_00421F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00410060 7_2_00410060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00401000 7_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_0041D128 7_2_0041D128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_0043B130 7_2_0043B130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00408250 7_2_00408250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00404260 7_2_00404260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00403370 7_2_00403370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_0043B470 7_2_0043B470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00436480 7_2_00436480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00406610 7_2_00406610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_004216CE 7_2_004216CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00401740 7_2_00401740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00403770 7_2_00403770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00405890 7_2_00405890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00406C20 7_2_00406C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_0041DD72 7_2_0041DD72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00426E67 7_2_00426E67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00426F29 7_2_00426F29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00426FA0 7_2_00426FA0
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Code function: 8_2_00C60A31 8_2_00C60A31
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Code function: 9_2_00D10A31 9_2_00D10A31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 11_2_00729700 11_2_00729700
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Code function: 14_2_02A60A31 14_2_02A60A31
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Code function: 16_2_01590A31 16_2_01590A31
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe F5913E753281DBDF88F36C73D13AFBF4AF62046E25F8E148E87A80E88818C4D7
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe F5913E753281DBDF88F36C73D13AFBF4AF62046E25F8E148E87A80E88818C4D7
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lumma1504[1].exe F5913E753281DBDF88F36C73D13AFBF4AF62046E25F8E148E87A80E88818C4D7
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00408C90 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 004092E0 appears 160 times
PE / OLE file has an invalid certificate
Source: 2q45IEa3Ee.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: 2q45IEa3Ee.exe Static PE information: Resource name: SETUPSERVICE_WIN7 type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 2q45IEa3Ee.exe Static PE information: Resource name: SETUPSERVICE_WIN8 type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Sample file is different than original file name gathered from version info
Source: 2q45IEa3Ee.exe Binary or memory string: OriginalFilename vs 2q45IEa3Ee.exe
Source: 2q45IEa3Ee.exe, 00000000.00000002.1878839470.0000000006002000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameQuestion.exeJ vs 2q45IEa3Ee.exe
Source: 2q45IEa3Ee.exe, 00000000.00000000.1620206673.0000000000E2D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSetupAfterRebootService.exeP vs 2q45IEa3Ee.exe
Source: 2q45IEa3Ee.exe, 00000000.00000003.1876269087.00000000056E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSetupAfterRebootService.exeP vs 2q45IEa3Ee.exe
Source: 2q45IEa3Ee.exe, 00000000.00000003.1876269087.00000000056E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameHxInstallerBackground.dll@ vs 2q45IEa3Ee.exe
Source: 2q45IEa3Ee.exe, 00000000.00000000.1620206673.0000000000E38000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSetupAfterRebootService.exeP vs 2q45IEa3Ee.exe
Source: 2q45IEa3Ee.exe, 00000000.00000000.1620206673.0000000000E38000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameHxInstallerBackground.dll@ vs 2q45IEa3Ee.exe
Source: 2q45IEa3Ee.exe, 00000000.00000002.1876952861.0000000000E38000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSetupAfterRebootService.exeP vs 2q45IEa3Ee.exe
Source: 2q45IEa3Ee.exe, 00000000.00000002.1876952861.0000000000E38000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameHxInstallerBackground.dll@ vs 2q45IEa3Ee.exe
Source: 2q45IEa3Ee.exe Binary or memory string: OriginalFilenameSetupAfterRebootService.exeP vs 2q45IEa3Ee.exe
Source: 2q45IEa3Ee.exe Binary or memory string: OriginalFilenameHxInstallerBackground.dll@ vs 2q45IEa3Ee.exe
Uses 32bit PE files
Source: 2q45IEa3Ee.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: lumma1504[1].exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: oRkIPIEeryat7GMgjkBr.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: AdobeUpdaterV202.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: MSIUpdaterV202.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 2q45IEa3Ee.exe Static PE information: Section: ZLIB complexity 0.9998214068579766
Source: 2q45IEa3Ee.exe Static PE information: Section: ZLIB complexity 0.9965173192771084
Source: 2q45IEa3Ee.exe Static PE information: Section: .reloc ZLIB complexity 1.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@23/30@3/4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_0042A936 CoCreateInstance, 7_2_0042A936
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3052:120:WilError_03
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File created: C:\Users\user\AppData\Local\Temp\trixyBzNJzauM1END Jump to behavior
Source: 2q45IEa3Ee.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 2q45IEa3Ee.exe, 2q45IEa3Ee.exe, 00000000.00000003.1627633755.0000000001570000.00000004.00001000.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000002.1876933783.0000000000DE2000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 2q45IEa3Ee.exe, 00000000.00000003.1627633755.0000000001570000.00000004.00001000.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000002.1876933783.0000000000DE2000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 2q45IEa3Ee.exe, 00000000.00000003.1811612230.0000000005FA8000.00000004.00000020.00020000.00000000.sdmp, hFeN_nRcyMkILogin Data.0.dr, LBC6lg2YJ3HXLogin Data For Account.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 2q45IEa3Ee.exe Virustotal: Detection: 23%
Source: 2q45IEa3Ee.exe ReversingLabs: Detection: 28%
Source: 2q45IEa3Ee.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File read: C:\Users\user\Desktop\2q45IEa3Ee.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\2q45IEa3Ee.exe "C:\Users\user\Desktop\2q45IEa3Ee.exe"
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Process created: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe "C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe"
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: unknown Process created: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe
Source: unknown Process created: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe "C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe"
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe "C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe"
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Process created: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe "C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: 2q45IEa3Ee.exe Static file information: File size 2551616 > 1048576
Source: 2q45IEa3Ee.exe Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x15fc00
Source: Binary string: C:\ka7c6p6\obj\Release\Question.pdbT2n2 `2_CorExeMainmscoree.dll source: MSIUpdaterV202.exe.0.dr, AdobeUpdaterV202.exe.0.dr, oRkIPIEeryat7GMgjkBr.exe.0.dr, lumma1504[1].exe.0.dr
Source: Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: 2q45IEa3Ee.exe
Source: Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdbP@n@ `@_CorExeMainmscoree.dll source: 2q45IEa3Ee.exe
Source: Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: 2q45IEa3Ee.exe
Source: Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb,ANA @A_CorExeMainmscoree.dll source: 2q45IEa3Ee.exe
Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: 2q45IEa3Ee.exe, 2q45IEa3Ee.exe, 00000000.00000002.1877085413.0000000000E70000.00000040.00000001.01000000.00000003.sdmp
Source: Binary string: C:\ka7c6p6\obj\Release\Question.pdb source: MSIUpdaterV202.exe.0.dr, AdobeUpdaterV202.exe.0.dr, oRkIPIEeryat7GMgjkBr.exe.0.dr, lumma1504[1].exe.0.dr
Binary contains a suspicious time stamp
Source: lumma1504[1].exe.0.dr Static PE information: 0x8AD735A1 [Sun Oct 25 04:22:57 2043 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00D3B380 LoadLibraryA,GetProcAddress, 0_2_00D3B380
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .boot
PE file contains sections with non-standard names
Source: 2q45IEa3Ee.exe Static PE information: section name:
Source: 2q45IEa3Ee.exe Static PE information: section name:
Source: 2q45IEa3Ee.exe Static PE information: section name:
Source: 2q45IEa3Ee.exe Static PE information: section name:
Source: 2q45IEa3Ee.exe Static PE information: section name: .themida
Source: 2q45IEa3Ee.exe Static PE information: section name: .boot
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDD0F9 push 58490A72h; mov dword ptr [esp], edx 0_2_011C1C56
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDD0F9 push edi; mov dword ptr [esp], 000AA9A0h 0_2_011C1CCA
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDD0F9 push 7B7C085Ch; mov dword ptr [esp], ebx 0_2_011C1CE6
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDD0F9 push ebx; mov dword ptr [esp], edx 0_2_011C1CF9
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDD0F9 push edx; mov dword ptr [esp], 55DBEDB5h 0_2_011C1D7E
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDF0E1 push edi; mov dword ptr [esp], 37DA81A0h 0_2_011CF3CF
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDF0E1 push ebp; mov dword ptr [esp], esi 0_2_011CF3FF
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDF0E1 push ebx; mov dword ptr [esp], edx 0_2_011CF43D
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDF0E1 push eax; mov dword ptr [esp], esi 0_2_011CF4B2
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDF0E1 push ecx; mov dword ptr [esp], esi 0_2_011CF519
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDC8DC push 485CE8D9h; mov dword ptr [esp], ecx 0_2_011D3C1E
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDC8DC push 72D11309h; mov dword ptr [esp], esi 0_2_011D3C3B
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDC8DC push edx; mov dword ptr [esp], ebx 0_2_011D3C51
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDC8DC push edi; mov dword ptr [esp], 6664B914h 0_2_011D3C7D
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDC8DC push ebp; mov dword ptr [esp], edx 0_2_011D3D1C
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDC0D0 push edx; mov dword ptr [esp], ebp 0_2_011D3210
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDC0D0 push ebx; mov dword ptr [esp], ebp 0_2_011D3254
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDC0D0 push 5A0126E9h; mov dword ptr [esp], edi 0_2_011D328C
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FE0867 push edi; mov dword ptr [esp], ecx 0_2_011C41C7
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FE0867 push edi; mov dword ptr [esp], ecx 0_2_011C4216
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FE0867 push esi; mov dword ptr [esp], 3BD107AEh 0_2_011C428F
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FE0867 push eax; mov dword ptr [esp], ebx 0_2_011C42B7
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FE0867 push eax; mov dword ptr [esp], 4AAA72D6h 0_2_011C42BB
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FE0867 push ecx; mov dword ptr [esp], ebx 0_2_011C42EF
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDE85D push edx; mov dword ptr [esp], edi 0_2_011D5191
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDE85D push 5B1B3B8Ah; mov dword ptr [esp], ecx 0_2_011D5199
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDE85D push ebp; mov dword ptr [esp], ecx 0_2_011D51AA
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDE85D push edx; mov dword ptr [esp], 000AABB0h 0_2_011D51E8
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDE85D push eax; mov dword ptr [esp], ecx 0_2_011D5265
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FDE85D push ebp; mov dword ptr [esp], ecx 0_2_011D5269
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00FE39FC push ebx; mov dword ptr [esp], edx 0_2_011CA92F
Source: 2q45IEa3Ee.exe Static PE information: section name: entropy: 7.999554529460661
Source: 2q45IEa3Ee.exe Static PE information: section name: .boot entropy: 7.949677127496007
Source: lumma1504[1].exe.0.dr Static PE information: section name: .text entropy: 7.996781792059311
Source: oRkIPIEeryat7GMgjkBr.exe.0.dr Static PE information: section name: .text entropy: 7.996781792059311
Source: AdobeUpdaterV202.exe.0.dr Static PE information: section name: .text entropy: 7.996781792059311
Source: MSIUpdaterV202.exe.0.dr Static PE information: section name: .text entropy: 7.996781792059311
Drops PE files
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File created: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Jump to dropped file
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File created: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Jump to dropped file
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File created: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Jump to dropped file
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lumma1504[1].exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File created: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe" /tn "MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Stalling execution: Execution stalls by calling Sleep
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe System information queried: FirmwareTableInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Special instruction interceptor: First address: F70B95 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Memory allocated: 1120000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Memory allocated: 2CE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Memory allocated: 2A20000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Memory allocated: C60000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Memory allocated: 2830000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Memory allocated: 4830000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Memory allocated: B20000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Memory allocated: 2730000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Memory allocated: B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Memory allocated: 2A20000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Memory allocated: 2C60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Memory allocated: 2BB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Memory allocated: 1590000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Memory allocated: 3350000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Memory allocated: 1830000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Thread delayed: delay time: 922337203685477
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Is looking for software installed on the system
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key enumerated: More than 145 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe TID: 6760 Thread sleep count: 98 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe TID: 4460 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2492 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2492 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe TID: 4312 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe TID: 5852 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5780 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5804 Thread sleep time: -90000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2088 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe TID: 428 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6612 Thread sleep time: -60000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6636 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe TID: 2812 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2004 Thread sleep time: -60000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00D52870 FindFirstFileA,FindNextFileA,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_00D52870
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00C8C82B FindFirstFileExW,GetLastError, 0_2_00C8C82B
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Thread delayed: delay time: 922337203685477
Source: 2q45IEa3Ee.exe, 00000000.00000003.1644298203.00000000017C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}~"
Source: RegAsm.exe, 00000011.00000002.2130384793.0000000001576000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWJ+
Source: RegAsm.exe, 00000011.00000002.2130384793.000000000153E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX
Source: 2q45IEa3Ee.exe, 00000000.00000003.1625497117.0000000001570000.00000004.00001000.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1625377908.0000000001570000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: \SystemRoot\system32\ntkrnlp.exeSDT\VBOX__
Source: 2q45IEa3Ee.exe, 00000000.00000002.1877753884.0000000001760000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&)0
Source: 2q45IEa3Ee.exe, 00000000.00000002.1878839470.0000000005FB1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RegAsm.exe, RegAsm.exe, 0000000B.00000002.1939197101.00000000006DA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1939197101.000000000071D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2048327163.000000000145A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2048327163.000000000149C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.2130384793.0000000001576000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 2q45IEa3Ee.exe, 00000000.00000003.1625841550.0000000001570000.00000004.00001000.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1625917956.0000000001570000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: \SystemRoot\system32\ntkrnlmp.exeSDT\VBOX__
Source: 2q45IEa3Ee.exe, 00000000.00000002.1877753884.00000000017B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP!
Source: RegAsm.exe, 0000000B.00000002.1939197101.000000000071D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn
Source: 2q45IEa3Ee.exe, 00000000.00000003.1644298203.00000000017C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: 2q45IEa3Ee.exe, 00000000.00000003.1626124846.0000000001570000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: \SystemRoot\system32\ntkrnlmp.exeST\VBOX__
Source: 2q45IEa3Ee.exe, 00000000.00000003.1626252203.0000000001570000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: \SystemRoot\system32\ntkrnmp.exeSDT\VBOX__
Source: 2q45IEa3Ee.exe, 00000000.00000002.1878839470.0000000006002000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 2q45IEa3Ee.exe, 00000000.00000003.1625585878.0000000001570000.00000004.00001000.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1626031634.0000000001570000.00000004.00001000.00020000.00000000.sdmp, 2q45IEa3Ee.exe, 00000000.00000003.1625688795.0000000001570000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: \SystemRoot\system32\ntkrnlm.exeSDT\VBOX__
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 7_2_00435B70 LdrInitializeThunk, 7_2_00435B70
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00D3B380 LoadLibraryA,GetProcAddress, 0_2_00D3B380
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: lumma1504[1].exe.0.dr, Angelo.cs Reference to suspicious API methods: Program.VirtualProtect(ref Eugene.SuperBook[0], Eugene.SuperBook.Length, 64u, ref oldProtect)
Source: lumma1504[1].exe.0.dr, Angelo.cs Reference to suspicious API methods: Program.WaitForSingleObject(Program.CreateRemoteThread(uint.MaxValue, 0u, 0u, ref Eugene.SuperBook[num], RemoteObjects.userBuffer, 0, ref WPA), uint.MaxValue)
Source: 0.2.2q45IEa3Ee.exe.e324c0.1.raw.unpack, ActiveApp.cs Reference to suspicious API methods: OpenProcess(33554432u, bInheritHandle: false, dwProcessId)
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Contains functionality to inject code into remote processes
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Code function: 6_2_02CE2549 CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread, 6_2_02CE2549
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
LummaC encrypted strings found
Source: oRkIPIEeryat7GMgjkBr.exe, 00000006.00000002.1849470900.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: wifeplasterbakewis.shop
Source: oRkIPIEeryat7GMgjkBr.exe, 00000006.00000002.1849470900.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: mealplayerpreceodsju.shop
Source: oRkIPIEeryat7GMgjkBr.exe, 00000006.00000002.1849470900.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: bordersoarmanusjuw.shop
Source: oRkIPIEeryat7GMgjkBr.exe, 00000006.00000002.1849470900.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: suitcaseacanehalk.shop
Source: oRkIPIEeryat7GMgjkBr.exe, 00000006.00000002.1849470900.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: absentconvicsjawun.shop
Source: oRkIPIEeryat7GMgjkBr.exe, 00000006.00000002.1849470900.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: pushjellysingeywus.shop
Source: oRkIPIEeryat7GMgjkBr.exe, 00000006.00000002.1849470900.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: economicscreateojsu.shop
Source: oRkIPIEeryat7GMgjkBr.exe, 00000006.00000002.1849470900.0000000003CE5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: entitlementappwo.shop
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43F000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44A000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 10E1008 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43F000 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44A000 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1055008 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43F000 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44A000 Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 240008 Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43F000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44A000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E93008
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43F000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44A000
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 11C3008
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Process created: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe "C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe Queries volume information: C:\Users\user\AppData\Local\Temp\spanBzNJzauM1END\oRkIPIEeryat7GMgjkBr.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Queries volume information: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe Queries volume information: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Queries volume information: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe Queries volume information: C:\Users\user\AppData\Local\AdobeUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\AdobeUpdaterV202.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Code function: 0_2_00C8DEAD GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_00C8DEAD
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: RegAsm.exe, 00000007.00000002.1920810654.0000000001472000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.1936828284.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.1936237566.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1939197101.0000000000705000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.1939197101.0000000000785000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000F.00000002.2049332296.000000000358C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 1740, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5900, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2128, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected RisePro Stealer
Source: Yara match File source: 00000000.00000003.1824382503.0000000005E26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\uw5Stgma3gbM9Xo4g_6cCoQ.zip, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: RegAsm.exe, 00000007.00000002.1920616270.000000000140A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Electrum\wallets
Source: RegAsm.exe, 00000007.00000002.1920616270.000000000140A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Liberty
Source: RegAsm.exe, 00000007.00000002.1920616270.000000000140A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: RegAsm.exe, 00000007.00000002.1920616270.000000000140A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: RegAsm.exe, 00000007.00000002.1920616270.000000000140A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3
Source: 2q45IEa3Ee.exe, 00000000.00000002.1878839470.0000000005FB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: RegAsm.exe, 00000007.00000002.1920616270.000000000140A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum
Source: RegAsm.exe, 00000007.00000002.1920616270.000000000140A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: RegAsm.exe, 00000007.00000002.1920616270.000000000140A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\2q45IEa3Ee.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Searches for user specific document files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\ZQIXMVQGAH Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\KZWFNRXYKI Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\ZQIXMVQGAH Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Directory queried: number of queries: 2357
Yara detected Credential Stealer
Source: Yara match File source: 00000007.00000002.1920616270.000000000140A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1939197101.000000000071D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 1740, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5900, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2128, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5948, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 1740, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5900, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2128, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected RisePro Stealer
Source: Yara match File source: 00000000.00000003.1824382503.0000000005E26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\uw5Stgma3gbM9Xo4g_6cCoQ.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1429253 Sample: 2q45IEa3Ee.exe Startdate: 21/04/2024 Architecture: WINDOWS Score: 100 50 bordersoarmanusjuw.shop 2->50 52 ipinfo.io 2->52 54 db-ip.com 2->54 64 Snort IDS alert for network traffic 2->64 66 Multi AV Scanner detection for domain / URL 2->66 68 Found malware configuration 2->68 70 11 other signatures 2->70 8 2q45IEa3Ee.exe 1 77 2->8         started        13 MSIUpdaterV202.exe 1 2->13         started        15 AdobeUpdaterV202.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 58 193.233.132.253, 49732, 49740, 50500 FREE-NET-ASFREEnetEU Russian Federation 8->58 60 ipinfo.io 34.117.186.192, 443, 49733 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->60 62 db-ip.com 104.26.5.15, 443, 49734 CLOUDFLARENETUS United States 8->62 42 C:\Users\user\...\oRkIPIEeryat7GMgjkBr.exe, PE32 8->42 dropped 44 C:\Users\user\AppData\...\lumma1504[1].exe, PE32 8->44 dropped 46 C:\Users\user\...\AdobeUpdaterV202.exe, PE32 8->46 dropped 48 2 other malicious files 8->48 dropped 92 Query firmware table information (likely to detect VMs) 8->92 94 Tries to detect sandboxes and other dynamic analysis tools (window names) 8->94 96 Tries to steal Mail credentials (via file / registry access) 8->96 110 8 other signatures 8->110 19 oRkIPIEeryat7GMgjkBr.exe 1 8->19         started        22 schtasks.exe 1 8->22         started        24 schtasks.exe 1 8->24         started        98 Antivirus detection for dropped file 13->98 100 Multi AV Scanner detection for dropped file 13->100 102 Machine Learning detection for dropped file 13->102 26 RegAsm.exe 13->26         started        104 Writes to foreign memory regions 15->104 106 Allocates memory in foreign processes 15->106 108 Injects a PE file into a foreign processes 15->108 28 RegAsm.exe 15->28         started        30 RegAsm.exe 17->30         started        32 RegAsm.exe 17->32         started        file6 signatures7 process8 signatures9 72 Antivirus detection for dropped file 19->72 74 Multi AV Scanner detection for dropped file 19->74 76 Machine Learning detection for dropped file 19->76 84 5 other signatures 19->84 34 RegAsm.exe 19->34         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        78 Query firmware table information (likely to detect VMs) 30->78 80 Tries to harvest and steal browser information (history, passwords, etc) 30->80 82 Tries to steal Crypto Currency Wallets 30->82 process10 dnsIp11 56 bordersoarmanusjuw.shop 172.67.189.66, 443, 49742, 49743 CLOUDFLARENETUS United States 34->56 86 Query firmware table information (likely to detect VMs) 34->86 88 Found many strings related to Crypto-Wallets (likely being stolen) 34->88 90 Tries to steal Crypto Currency Wallets 34->90 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.189.66
 bordersoarmanusjuw.shop United States
13335 CLOUDFLARENETUS true
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
104.26.5.15
 db-ip.com United States
13335 CLOUDFLARENETUS false
193.233.132.253
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true

Contacted Domains

Name IP Active
bordersoarmanusjuw.shop 172.67.189.66 true
ipinfo.io 34.117.186.192 true
db-ip.com 104.26.5.15 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
bordersoarmanusjuw.shop true unknown
https://bordersoarmanusjuw.shop/api true unknown
mealplayerpreceodsju.shop true unknown
absentconvicsjawun.shop true unknown
http://193.233.132.253/lumma1504.exe true unknown
pushjellysingeywus.shop true unknown
economicscreateojsu.shop true unknown
https://ipinfo.io/widget/demo/81.181.57.52 false
    		high
    wifeplasterbakewis.shop true unknown
    https://db-ip.com/demo/home.php?s=81.181.57.52 false
      		high
      suitcaseacanehalk.shop true unknown
      entitlementappwo.shop true unknown