Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe
Analysis ID:	1632969
MD5:	428debead98e87580b9d650b373dc205
SHA1:	4965fb5c56de9a62f4eacf49ec9ff523500a31c7
SHA256:	5c9f76f84adfb563c3073625481286cfb5059a05d12d635ee26e758c6c881a8a
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

LummaC Stealer, RHADAMANTHYS

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected RHADAMANTHYS Stealer

.NET source code contains method to dynamically call methods (often used by packers)

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to launch a process as a different user

Contains functionality to read the clipboard data

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe (PID: 5884 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe" MD5: 428DEBEAD98E87580B9D650B373DC205)

AddInProcess32.exe (PID: 5328 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 7536 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 7456 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

fontdrvhost.exe (PID: 7628 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: 8D0DA0C5DCF1A14F9D65F5C0BEA53F3D)

fontdrvhost.exe (PID: 7952 cmdline: "C:\Windows\System32\fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

WerFault.exe (PID: 8000 cmdline: C:\Windows\system32\WerFault.exe -u -p 7952 -s 148 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 7696 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7456 -s 748 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Rhadamanthys	According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.	Sandworm	https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/ https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/ https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023 https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.talosintelligence.com/highlighting-ta866-asylum-ambuscade/	https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Malware Configuration

Threatname: LummaC

{"C2 url": ["paleboreei.biz", "uncertainyelemz.bet", "hobbyedsmoker.live", "dsfljsdfjewf.info", "deaddereaste.today", "subawhipnator.life", "privileggoe.live", "decreaserid.world"], "Build id": "bFcGh6--2402"}

Threatname: Rhadamanthys

{"C2 url": "https://45.93.20.244:8954/b1607e49cd5359031f99a77e/e3mfs8q6.jg9ng"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000C.00000003.1716528239.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000B.00000002.1857497759.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000002.00000002.1843850127.00000000042FE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000C.00000003.1720204321.0000000005250000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000A.00000002.1721376498.0000000002840000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
0000000C.00000003.1719939750.0000000005030000.00000004.00000001.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000002.00000002.1843850127.0000000004189000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000000C.00000002.1820937664.0000000003030000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_RHADAMANTHYS	Yara detected RHADAMANTHYS Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe PID: 5884	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: AddInProcess32.exe PID: 5328	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: fontdrvhost.exe PID: 7628	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
11.2.AddInProcess32.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
11.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
12.3.fontdrvhost.exe.5250000.7.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
12.3.fontdrvhost.exe.5250000.7.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
12.3.fontdrvhost.exe.5030000.6.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-09T13:55:51.041598+0100	2028371	3	Unknown Traffic	192.168.2.7	65516	23.204.10.89	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deaddereaste .today)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-09T13:55:48.018313+0100	2060330	1	Domain Observed Used for C2 Detected	192.168.2.7	60549	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (decreaserid .world)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-09T13:55:48.055954+0100	2060202	1	Domain Observed Used for C2 Detected	192.168.2.7	54898	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dsfljsdfjewf .info)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-09T13:55:48.000460+0100	2060206	1	Domain Observed Used for C2 Detected	192.168.2.7	60152	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hobbyedsmoker .live)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-09T13:55:47.987152+0100	2060334	1	Domain Observed Used for C2 Detected	192.168.2.7	52945	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (paleboreei .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-09T13:55:47.960408+0100	2059925	1	Domain Observed Used for C2 Detected	192.168.2.7	58104	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pastedeputten .life)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-09T13:55:48.071695+0100	2060338	1	Domain Observed Used for C2 Detected	192.168.2.7	51394	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (privileggoe .live)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-09T13:55:48.043173+0100	2060307	1	Domain Observed Used for C2 Detected	192.168.2.7	62053	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (subawhipnator .life)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-09T13:55:48.033070+0100	2060313	1	Domain Observed Used for C2 Detected	192.168.2.7	55439	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (uncertainyelemz .bet)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-09T13:55:47.972300+0100	2060315	1	Domain Observed Used for C2 Detected	192.168.2.7	63671	1.1.1.1	53	UDP

ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-09T13:55:45.271957+0100	2854802	1	Domain Observed Used for C2 Detected	45.93.20.244	8954	192.168.2.7	49694	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://uncertainyelemz.bet:443/api5	Avira URL Cloud: Label: malware
Source: https://deaddereaste.today:443/apiL	Avira URL Cloud: Label: malware
Source: https://dsfljsdfjewf.info:443/api	Avira URL Cloud: Label: malware
Source: https://pastedeputten.life:443/api	Avira URL Cloud: Label: malware
Source: https://subawhipnator.life:443/api	Avira URL Cloud: Label: malware
Source: https://privileggoe.live:443/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000002.00000002.1843850127.00000000042FE000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: LummaC {"C2 url": ["paleboreei.biz", "uncertainyelemz.bet", "hobbyedsmoker.live", "dsfljsdfjewf.info", "deaddereaste.today", "subawhipnator.life", "privileggoe.live", "decreaserid.world"], "Build id": "bFcGh6--2402"}
Source: 0.2.SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe.3972288.4.unpack	Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://45.93.20.244:8954/b1607e49cd5359031f99a77e/e3mfs8q6.jg9ng"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Virustotal: Detection: 73%			Perma Link
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	ReversingLabs: Detection: 55%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.1843850127.00000000042FE000.00000004.00000800.00020000.00000000.sdmp	String decryptor: paleboreei.biz
Source: 00000002.00000002.1843850127.00000000042FE000.00000004.00000800.00020000.00000000.sdmp	String decryptor: uncertainyelemz.bet
Source: 00000002.00000002.1843850127.00000000042FE000.00000004.00000800.00020000.00000000.sdmp	String decryptor: hobbyedsmoker.live
Source: 00000002.00000002.1843850127.00000000042FE000.00000004.00000800.00020000.00000000.sdmp	String decryptor: dsfljsdfjewf.info
Source: 00000002.00000002.1843850127.00000000042FE000.00000004.00000800.00020000.00000000.sdmp	String decryptor: deaddereaste.today
Source: 00000002.00000002.1843850127.00000000042FE000.00000004.00000800.00020000.00000000.sdmp	String decryptor: subawhipnator.life
Source: 00000002.00000002.1843850127.00000000042FE000.00000004.00000800.00020000.00000000.sdmp	String decryptor: privileggoe.live
Source: 00000002.00000002.1843850127.00000000042FE000.00000004.00000800.00020000.00000000.sdmp	String decryptor: decreaserid.world

Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.7:49681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.7:49692 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.10.89:443 -> 192.168.2.7:65516 version: TLS 1.2

Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wkernel32.pdb source: fontdrvhost.exe, 0000000C.00000003.1719160795.0000000005030000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1719334815.0000000005150000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: fontdrvhost.exe, 0000000C.00000003.1720204321.0000000005250000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1719939750.0000000005030000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: fontdrvhost.exe, 0000000C.00000003.1717905553.0000000005220000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1717597471.0000000005030000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: fontdrvhost.exe, 0000000C.00000003.1718292734.0000000005030000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1718614976.00000000051D0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: fontdrvhost.exe, 0000000C.00000003.1717905553.0000000005220000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1717597471.0000000005030000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: fontdrvhost.exe, 0000000C.00000003.1718292734.0000000005030000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1718614976.00000000051D0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: fontdrvhost.exe, 0000000C.00000003.1719160795.0000000005030000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1719334815.0000000005150000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: fontdrvhost.exe, 0000000C.00000003.1720204321.0000000005250000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1719939750.0000000005030000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 4x nop then jmp 025E8205h	0_2_025E813F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	0_2_025E8610
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	0_2_025E85FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 02DA8205h	2_2_02DA8150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	2_2_02DA8610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 02DA8205h	2_2_02DA813F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	2_2_02DA85FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-000000BBh]	11_2_00447A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then lea ecx, dword ptr [eax+eax]	11_2_00444C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi]	11_2_00446040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then push dword ptr [esi+14h]	11_2_0041083A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov ecx, eax	11_2_0041083A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx esi, byte ptr [ebx+ecx-000000D2h]	11_2_0042F8C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov ecx, eax	11_2_004298F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+02h]	11_2_0044108A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	11_2_004400A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx edx, byte ptr [eax]	11_2_004400A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 720EEED4h	11_2_00443100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-2809052Bh]	11_2_00443100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx edx, byte ptr [esp+esi+27577599h]	11_2_00443100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov byte ptr [eax], cl	11_2_0041D12C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	11_2_0041D12C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	11_2_0040A1A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	11_2_0040A1A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov word ptr [eax], cx	11_2_004201AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	11_2_004469B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+140AC537h]	11_2_00445A52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov eax, ebx	11_2_00421260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov byte ptr [eax], cl	11_2_0041C221
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	11_2_0041C221
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+38h]	11_2_0042D23F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov ecx, eax	11_2_004232C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	11_2_0043CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov dword ptr [esp+08h], edi	11_2_00433ADD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov ecx, eax	11_2_0042C2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], esi	11_2_00446AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+578BD47Eh]	11_2_0040FAFA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+02h]	11_2_00440A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+02h]	11_2_00440A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov ecx, eax	11_2_0040EB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+02h]	11_2_00426380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 656D2358h	11_2_0041ABA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov ecx, eax	11_2_0041ABA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov ecx, eax	11_2_00429BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-72CBAB97h]	11_2_0041FBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov edx, ecx	11_2_0042C3BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov ecx, eax	11_2_0042C3BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov ebx, ecx	11_2_00444C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then lea ecx, dword ptr [eax+eax]	11_2_00444C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then push esi	11_2_00425453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov word ptr [esi], cx	11_2_00424C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov byte ptr [ecx], bl	11_2_0043347A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov eax, edx	11_2_00423400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov word ptr [ecx], dx	11_2_00447CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov ecx, eax	11_2_00429D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	11_2_00445553
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-2809055Fh]	11_2_00411D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp dword ptr [0044EA9Ch]	11_2_0042E534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+078CCBDEh]	11_2_004475C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then lea ecx, dword ptr [eax+27h]	11_2_0041DD90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	11_2_0041DD90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then lea ecx, dword ptr [eax+27h]	11_2_0041DD90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	11_2_004025A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+esi+0Ch]	11_2_0043F640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov ecx, eax	11_2_0043F640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov ecx, eax	11_2_00411E6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx ecx, byte ptr [ebx+eax-7Dh]	11_2_00411605
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax+27DDFCF1h]	11_2_0042BE06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	11_2_00418E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+06h]	11_2_004206A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+20h]	11_2_0041A757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	11_2_00402770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	11_2_0042FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], CA198B66h	11_2_0042BF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax-000000ECh]	11_2_0042B7C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov byte ptr [edi], al	11_2_00433FCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+00000170h]	11_2_00433FCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx ebx, byte ptr [edi+ecx-70AAEE47h]	11_2_00411FF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov byte ptr [edi], al	11_2_00433FCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+00000170h]	11_2_00433FCC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 45.93.20.244:8954 -> 192.168.2.7:49694
Source: Network traffic	Suricata IDS: 2060315 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (uncertainyelemz .bet) : 192.168.2.7:63671 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060338 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pastedeputten .life) : 192.168.2.7:51394 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060313 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (subawhipnator .life) : 192.168.2.7:55439 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059925 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (paleboreei .biz) : 192.168.2.7:58104 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060307 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (privileggoe .live) : 192.168.2.7:62053 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060330 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deaddereaste .today) : 192.168.2.7:60549 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060334 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hobbyedsmoker .live) : 192.168.2.7:52945 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dsfljsdfjewf .info) : 192.168.2.7:60152 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060202 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (decreaserid .world) : 192.168.2.7:54898 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: paleboreei.biz
Source: Malware configuration extractor	URLs: uncertainyelemz.bet
Source: Malware configuration extractor	URLs: hobbyedsmoker.live
Source: Malware configuration extractor	URLs: dsfljsdfjewf.info
Source: Malware configuration extractor	URLs: deaddereaste.today
Source: Malware configuration extractor	URLs: subawhipnator.life
Source: Malware configuration extractor	URLs: privileggoe.live
Source: Malware configuration extractor	URLs: decreaserid.world
Source: Malware configuration extractor	URLs: https://45.93.20.244:8954/b1607e49cd5359031f99a77e/e3mfs8q6.jg9ng

Source: global traffic

TCP traffic: 192.168.2.7:49694 -> 45.93.20.244:8954

Source: global traffic	HTTP traffic detected: GET /sJgKHwX4/hydraulic-Managments.webp HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /sJgKHwX4/hydraulic-Managments.webp HTTP/1.1Host: i.ibb.coConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 91.134.9.160 91.134.9.160

Source: Joe Sandbox View

ASN Name: COGENT-174US COGENT-174US

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:65516 -> 23.204.10.89:443

Source: global traffic

HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244
Source: unknown	TCP traffic detected without corresponding DNS query: 45.93.20.244

Source: global traffic	HTTP traffic detected: GET /sJgKHwX4/hydraulic-Managments.webp HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /sJgKHwX4/hydraulic-Managments.webp HTTP/1.1Host: i.ibb.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C24261067112364986345cc267ec03cae; path=/; secure; HttpOnly; SameSite=Nonesessionid=f761e402630f7ee290775c15; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35725Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSun, 09 Mar 2025 12:55:51 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: i.ibb.co
Source: global traffic	DNS traffic detected: DNS query: paleboreei.biz
Source: global traffic	DNS traffic detected: DNS query: uncertainyelemz.bet
Source: global traffic	DNS traffic detected: DNS query: hobbyedsmoker.live
Source: global traffic	DNS traffic detected: DNS query: dsfljsdfjewf.info
Source: global traffic	DNS traffic detected: DNS query: deaddereaste.today
Source: global traffic	DNS traffic detected: DNS query: subawhipnator.life
Source: global traffic	DNS traffic detected: DNS query: privileggoe.live
Source: global traffic	DNS traffic detected: DNS query: decreaserid.world
Source: global traffic	DNS traffic detected: DNS query: pastedeputten.life
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: AddInProcess32.exe, 00000002.00000002.1852395724.00000000086E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oen
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1708773788.0000000002891000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.1826495199.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AddInProcess32.exe, 0000000B.00000002.1858849451.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: AddInProcess32.exe, 0000000B.00000002.1858849451.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: AddInProcess32.exe, 0000000B.00000002.1858849451.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.18.dr	String found in binary or memory: http://upx.sf.net
Source: fontdrvhost.exe, 0000000C.00000003.1819855073.0000000004FA2000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000002.1820295105.00000000009DC000.00000004.00000010.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000002.1921404656.000002002B570000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://45.93.20.244:8954/b1607e49cd5359031f99a77e/e3mfs8q6.jg9ng
Source: fontdrvhost.exe, 0000000C.00000003.1819855073.0000000004FA2000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000010.00000002.1921404656.000002002B570000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://45.93.20.244:8954/b1607e49cd5359031f99a77e/e3mfs8q6.jg9ngkernelbasentdllkernel32GetProcessMi
Source: fontdrvhost.exe, 0000000C.00000002.1820295105.00000000009DC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://45.93.20.244:8954/b1607e49cd5359031f99a77e/e3mfs8q6.jg9ngx
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	String found in binary or memory: https://api.exchangerate-api.com/v4/latest/
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	String found in binary or memory: https://api.skanfiret.com/data-Processed
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: fontdrvhost.exe, 0000000C.00000003.1797437652.0000000004FAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-query
Source: fontdrvhost.exe, 0000000C.00000003.1797437652.0000000004FAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi
Source: AddInProcess32.exe, 0000000B.00000002.1858849451.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.s
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: AddInProcess32.exe, 0000000B.00000002.1860318277.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=GlKQ1cghJWE2&l=english&_c
Source: AddInProcess32.exe, 0000000B.00000002.1860318277.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: AddInProcess32.exe, 0000000B.00000002.1860318277.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: AddInProcess32.exe, 0000000B.00000002.1860318277.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: AddInProcess32.exe, 0000000B.00000002.1860318277.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: AddInProcess32.exe, 0000000B.00000002.1860318277.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: AddInProcess32.exe, 0000000B.00000002.1860318277.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: AddInProcess32.exe, 0000000B.00000002.1860318277.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: AddInProcess32.exe, 0000000B.00000002.1860318277.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: AddInProcess32.exe, 0000000B.00000002.1860318277.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: AddInProcess32.exe, 0000000B.00000002.1860318277.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: AddInProcess32.exe, 0000000B.00000002.1859322257.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deaddereaste.today:443/apiL
Source: AddInProcess32.exe, 0000000B.00000002.1859322257.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dsfljsdfjewf.info:443/api
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1708773788.0000000002891000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.1826495199.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://i.ibb.co
Source: AddInProcess32.exe, 00000002.00000002.1826495199.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://i.ibb.co/sJgKHwX4/hydraulic-Managments.webp
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: AddInProcess32.exe, 0000000B.00000002.1859322257.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastedeputten.life:443/api
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: AddInProcess32.exe, 0000000B.00000002.1859322257.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://privileggoe.live:443/api
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: AddInProcess32.exe, 0000000B.00000002.1858849451.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/Q
Source: AddInProcess32.exe, 0000000B.00000002.1858849451.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: AddInProcess32.exe, 0000000B.00000002.1859322257.0000000000AE9000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000000B.00000002.1858849451.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128
Source: AddInProcess32.exe, 0000000B.00000002.1858849451.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199822375128/inventory/
Source: AddInProcess32.exe, 0000000B.00000002.1859322257.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199822375128k
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamloopback.host
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCou
Source: AddInProcess32.exe, 0000000B.00000002.1858849451.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: AddInProcess32.exe, 0000000B.00000002.1859322257.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://subawhipnator.life:443/api
Source: AddInProcess32.exe, 0000000B.00000002.1859322257.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uncertainyelemz.bet:443/api5
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1737699609.0000000006A91000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1740923780.0000000007C10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.anon.com/frit/asfta.dara
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49681
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 65516
Source: unknown	Network traffic detected: HTTP traffic on port 49681 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65516 -> 443

Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.7:49681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 91.134.9.160:443 -> 192.168.2.7:49692 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.10.89:443 -> 192.168.2.7:65516 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_0043AF10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

11_2_0043AF10

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_0043AF10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

11_2_0043AF10

Source: fontdrvhost.exe, 0000000C.00000003.1720204321.0000000005250000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_d650457f-0

Source: fontdrvhost.exe, 0000000C.00000003.1720204321.0000000005250000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_d75c51dd-4

Source: Yara match	File source: 12.3.fontdrvhost.exe.5250000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.fontdrvhost.exe.5250000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.fontdrvhost.exe.5030000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000003.1720204321.0000000005250000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1719939750.0000000005030000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 7628, type: MEMORYSTR

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe

Code function: 0_2_05FB6548 CreateProcessAsUserW,

0_2_05FB6548

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_025E8610	0_2_025E8610
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_025EA748	0_2_025EA748
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_025EAF8D	0_2_025EAF8D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_025E9FD0	0_2_025E9FD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_025E85FF	0_2_025E85FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05EE7B0C	0_2_05EE7B0C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05EE80E1	0_2_05EE80E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05EE80F0	0_2_05EE80F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05EE5DEC	0_2_05EE5DEC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05EE9C90	0_2_05EE9C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05F42578	0_2_05F42578
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05F42568	0_2_05F42568
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05F47248	0_2_05F47248
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05F47238	0_2_05F47238
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB1C48	0_2_05FB1C48
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB6C28	0_2_05FB6C28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB6ED0	0_2_05FB6ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB4E18	0_2_05FB4E18
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FBCDD0	0_2_05FBCDD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB4DC8	0_2_05FB4DC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FBBD70	0_2_05FBBD70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB5130	0_2_05FB5130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB5121	0_2_05FB5121
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB74C8	0_2_05FB74C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB90A8	0_2_05FB90A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB9098	0_2_05FB9098
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB0040	0_2_05FB0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB1440	0_2_05FB1440
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB1C38	0_2_05FB1C38
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB6C1B	0_2_05FB6C1B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB1414	0_2_05FB1414
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB0006	0_2_05FB0006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB57E8	0_2_05FB57E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB47B0	0_2_05FB47B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB47A0	0_2_05FB47A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB2B1A	0_2_05FB2B1A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB0708	0_2_05FB0708
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB26E8	0_2_05FB26E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB2AC3	0_2_05FB2AC3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB0E40	0_2_05FB0E40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB0E31	0_2_05FB0E31
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06374E08	0_2_06374E08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_063792A0	0_2_063792A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_063702EB	0_2_063702EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06378010	0_2_06378010
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06370040	0_2_06370040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06378888	0_2_06378888
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0637C8FB	0_2_0637C8FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0637C258	0_2_0637C258
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0637C249	0_2_0637C249
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0637C6F0	0_2_0637C6F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0637C6E1	0_2_0637C6E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06377F58	0_2_06377F58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0637438F	0_2_0637438F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06373BFD	0_2_06373BFD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_063763F8	0_2_063763F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0637BBF8	0_2_0637BBF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_063743E0	0_2_063743E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0637D436	0_2_0637D436
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06374C28	0_2_06374C28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06370006	0_2_06370006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0637BC08	0_2_0637BC08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0637C460	0_2_0637C460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0637C450	0_2_0637C450
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06372CB9	0_2_06372CB9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0637B0A0	0_2_0637B0A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0637B091	0_2_0637B091
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06370898	0_2_06370898
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06374C84	0_2_06374C84
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06372CC8	0_2_06372CC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06373982	0_2_06373982
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_063755D6	0_2_063755D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06374DC1	0_2_06374DC1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_063731CE	0_2_063731CE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06397258	0_2_06397258
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0639C430	0_2_0639C430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06393C00	0_2_06393C00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06390C99	0_2_06390C99
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06392970	0_2_06392970
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_063931E8	0_2_063931E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0639B628	0_2_0639B628
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06395A00	0_2_06395A00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0639FA80	0_2_0639FA80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06396BB8	0_2_06396BB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06396BA8	0_2_06396BA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06394FF4	0_2_06394FF4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0639A828	0_2_0639A828
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0639BC28	0_2_0639BC28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06396858	0_2_06396858
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06397050	0_2_06397050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06397040	0_2_06397040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_063928B7	0_2_063928B7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_063928ED	0_2_063928ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06391D37	0_2_06391D37
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06392919	0_2_06392919
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06396568	0_2_06396568
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06396558	0_2_06396558
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06396DB0	0_2_06396DB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_063959F0	0_2_063959F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06396DC0	0_2_06396DC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_064166A3	0_2_064166A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06415978	0_2_06415978
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0641647B	0_2_0641647B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0641E030	0_2_0641E030
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_064194C0	0_2_064194C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0641F2C8	0_2_0641F2C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0641349D	0_2_0641349D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06419760	0_2_06419760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06415968	0_2_06415968
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06413538	0_2_06413538
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_064177C4	0_2_064177C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0641A7E0	0_2_0641A7E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07BE0006	0_2_07BE0006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07BE0040	0_2_07BE0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07BE6F20	0_2_07BE6F20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07BE6F12	0_2_07BE6F12
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07BE5A98	0_2_07BE5A98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07BE5A88	0_2_07BE5A88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07C09570	0_2_07C09570
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07C04D28	0_2_07C04D28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07C0F448	0_2_07C0F448
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07C00040	0_2_07C00040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07C0E7A0	0_2_07C0E7A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07C0A750	0_2_07C0A750
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07C0A760	0_2_07C0A760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07C0EEF8	0_2_07C0EEF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07C06589	0_2_07C06589
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07C06598	0_2_07C06598
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07C0DC50	0_2_07C0DC50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07C09B81	0_2_07C09B81
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07C0C346	0_2_07C0C346
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07C0C350	0_2_07C0C350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07C00007	0_2_07C00007
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F54645	0_2_07F54645
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F50040	0_2_07F50040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F5EE00	0_2_07F5EE00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F5D408	0_2_07F5D408
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F54ACF	0_2_07F54ACF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F5F778	0_2_07F5F778
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F50006	0_2_07F50006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F6E018	0_2_07F6E018
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F65BF8	0_2_07F65BF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F65BE8	0_2_07F65BE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F617B0	0_2_07F617B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F6F338	0_2_07F6F338
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F69318	0_2_07F69318
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F672F0	0_2_07F672F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F6A2EA	0_2_07F6A2EA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F672EB	0_2_07F672EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F61292	0_2_07F61292
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F61298	0_2_07F61298
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F6E658	0_2_07F6E658
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F62D28	0_2_07F62D28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F62D17	0_2_07F62D17
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F68880	0_2_07F68880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F68857	0_2_07F68857
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F60040	0_2_07F60040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F60007	0_2_07F60007
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F8C518	0_2_07F8C518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F812F9	0_2_07F812F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F8E0C8	0_2_07F8E0C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F8A870	0_2_07F8A870
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F80040	0_2_07F80040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F8DFC6	0_2_07F8DFC6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F897A8	0_2_07F897A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F89797	0_2_07F89797
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F8CF32	0_2_07F8CF32
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F8872D	0_2_07F8872D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F836F8	0_2_07F836F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F836E8	0_2_07F836E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F89698	0_2_07F89698
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F88E70	0_2_07F88E70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F88E62	0_2_07F88E62
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F86DF0	0_2_07F86DF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F895DA	0_2_07F895DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F89D48	0_2_07F89D48
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F89D39	0_2_07F89D39
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F8C50B	0_2_07F8C50B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F8235A	0_2_07F8235A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F82327	0_2_07F82327
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F84318	0_2_07F84318
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F84309	0_2_07F84309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F88AB0	0_2_07F88AB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F8BAA0	0_2_07F8BAA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F84AA0	0_2_07F84AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F88A9F	0_2_07F88A9F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F84A85	0_2_07F84A85
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F8A230	0_2_07F8A230
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F8A210	0_2_07F8A210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F849FF	0_2_07F849FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F859C0	0_2_07F859C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F869B0	0_2_07F869B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F86994	0_2_07F86994
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F8598C	0_2_07F8598C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F8A848	0_2_07F8A848
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F80006	0_2_07F80006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_088F7F11	0_2_088F7F11
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_08900283	0_2_08900283
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_088FC2E5	0_2_088FC2E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_088F3EF3	0_2_088F3EF3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_088F001D	0_2_088F001D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_088F0040	0_2_088F0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_08908470	0_2_08908470
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_089043CB	0_2_089043CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0890F560	0_2_0890F560
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_08904163	0_2_08904163
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0894A178	0_2_0894A178
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0894B894	0_2_0894B894
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0894A099	0_2_0894A099
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0893FC9C	0_2_0893FC9C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0894E48B	0_2_0894E48B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0894BEA4	0_2_0894BEA4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0893AAF2	0_2_0893AAF2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0894E4F8	0_2_0894E4F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_089476FA	0_2_089476FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0894E4EA	0_2_0894E4EA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_08930006	0_2_08930006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0894B82B	0_2_0894B82B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_08930040	0_2_08930040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_08944E4E	0_2_08944E4E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0893D3C3	0_2_0893D3C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0894D5C8	0_2_0894D5C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_08937FE8	0_2_08937FE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_08942575	0_2_08942575
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0894D560	0_2_0894D560
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_08C6E968	0_2_08C6E968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02D87248	2_2_02D87248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02D87238	2_2_02D87238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02D82578	2_2_02D82578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02D82568	2_2_02D82568
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02DA8610	2_2_02DA8610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02DAA5F8	2_2_02DAA5F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02DAAF8D	2_2_02DAAF8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02DA9FD0	2_2_02DA9FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_02DA85FF	2_2_02DA85FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_06447B0C	2_2_06447B0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_064480E1	2_2_064480E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_064480F0	2_2_064480F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_06449C90	2_2_06449C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_06445DEC	2_2_06445DEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_06490040	2_2_06490040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_06490006	2_2_06490006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0649D408	2_2_0649D408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0649EE00	2_2_0649EE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_06494646	2_2_06494646
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_06493003	2_2_06493003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_06494ACF	2_2_06494ACF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_06494AE0	2_2_06494AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0649F778	2_2_0649F778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080E0040	2_2_080E0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080EF448	2_2_080EF448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080E4D28	2_2_080E4D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080E9570	2_2_080E9570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080E7FBE	2_2_080E7FBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080E0006	2_2_080E0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080EF8CE	2_2_080EF8CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080EC23C	2_2_080EC23C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080E8AC0	2_2_080E8AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080EFAFD	2_2_080EFAFD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080EC350	2_2_080EC350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080E9B81	2_2_080E9B81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080E9B90	2_2_080E9B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080EDC50	2_2_080EDC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080E4CF8	2_2_080E4CF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080EED02	2_2_080EED02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080E6589	2_2_080E6589
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080E6598	2_2_080E6598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080EEEA4	2_2_080EEEA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080EEEF8	2_2_080EEEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080EA750	2_2_080EA750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080EA760	2_2_080EA760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080EE798	2_2_080EE798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_080EE7A0	2_2_080EE7A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08105A98	2_2_08105A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08105A88	2_2_08105A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08106F12	2_2_08106F12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08106F20	2_2_08106F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08100012	2_2_08100012
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08100040	2_2_08100040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08410040	2_2_08410040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08412048	2_2_08412048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0841A870	2_2_0841A870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0841E0C8	2_2_0841E0C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_084123D8	2_2_084123D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_084114F4	2_2_084114F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0841C518	2_2_0841C518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0841A848	2_2_0841A848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08410006	2_2_08410006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_084159C0	2_2_084159C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_084149FF	2_2_084149FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0841598C	2_2_0841598C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_084121B1	2_2_084121B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08414A78	2_2_08414A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0841A210	2_2_0841A210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08416A16	2_2_08416A16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0841A230	2_2_0841A230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_084112F9	2_2_084112F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08418A9F	2_2_08418A9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0841BAA0	2_2_0841BAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08414AA0	2_2_08414AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08418AB0	2_2_08418AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08411B53	2_2_08411B53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0841235A	2_2_0841235A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08414309	2_2_08414309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08414318	2_2_08414318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08411C2C	2_2_08411C2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0841C4F8	2_2_0841C4F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08419D48	2_2_08419D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08419D20	2_2_08419D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_084195DA	2_2_084195DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08418E63	2_2_08418E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08418E70	2_2_08418E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_084136E8	2_2_084136E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_084136F8	2_2_084136F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08411680	2_2_08411680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08419698	2_2_08419698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0841CF40	2_2_0841CF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08418708	2_2_08418708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0841CF33	2_2_0841CF33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08411FD2	2_2_08411FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0841DF80	2_2_0841DF80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08419797	2_2_08419797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_084197A8	2_2_084197A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0849E018	2_2_0849E018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08490040	2_2_08490040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0849887D	2_2_0849887D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08490006	2_2_08490006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08498880	2_2_08498880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08492D17	2_2_08492D17
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08492D28	2_2_08492D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0849E658	2_2_0849E658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08491279	2_2_08491279
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_084972CB	2_2_084972CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0849A2F8	2_2_0849A2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_084972F0	2_2_084972F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0849A2F5	2_2_0849A2F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08497283	2_2_08497283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08491298	2_2_08491298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08499318	2_2_08499318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_0849F338	2_2_0849F338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08495BE8	2_2_08495BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08495BF8	2_2_08495BF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_084917B0	2_2_084917B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B50040	2_2_08B50040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B52580	2_2_08B52580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B51D08	2_2_08B51D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B57150	2_2_08B57150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B59950	2_2_08B59950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B56600	2_2_08B56600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B52F99	2_2_08B52F99
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B5B7C8	2_2_08B5B7C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B5BB28	2_2_08B5BB28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B558F1	2_2_08B558F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B510E0	2_2_08B510E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B51CE3	2_2_08B51CE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B570D7	2_2_08B570D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B510D1	2_2_08B510D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B50011	2_2_08B50011
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B54D98	2_2_08B54D98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B54D88	2_2_08B54D88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B565FA	2_2_08B565FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B55900	2_2_08B55900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B56158	2_2_08B56158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B56149	2_2_08B56149
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B5438C	2_2_08B5438C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B563E8	2_2_08B563E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B563D8	2_2_08B563D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B5AFC0	2_2_08B5AFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B59BC0	2_2_08B59BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B5F300	2_2_08B5F300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B55F50	2_2_08B55F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08B55F40	2_2_08B55F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08BB8000	2_2_08BB8000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08BB8470	2_2_08BB8470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08BD0006	2_2_08BD0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08BD0040	2_2_08BD0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08BD6150	2_2_08BD6150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08BD2418	2_2_08BD2418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08BD2416	2_2_08BD2416
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08BD4EB0	2_2_08BD4EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08BFA178	2_2_08BFA178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08BFBEA4	2_2_08BFBEA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08BFA099	2_2_08BFA099
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08BFB894	2_2_08BFB894
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08BFD5C8	2_2_08BFD5C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08BFB8C0	2_2_08BFB8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08BFB82B	2_2_08BFB82B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08BF9000	2_2_08BF9000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08BFD55E	2_2_08BFD55E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08C27A60	2_2_08C27A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08C27030	2_2_08C27030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08C2C788	2_2_08C2C788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08C28798	2_2_08C28798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08C2F958	2_2_08C2F958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08C258C3	2_2_08C258C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08C2D4C8	2_2_08C2D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08C278D5	2_2_08C278D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08C2349D	2_2_08C2349D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08C2B848	2_2_08C2B848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08C2684D	2_2_08C2684D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08C27A5A	2_2_08C27A5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08C25E1E	2_2_08C25E1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08C2702A	2_2_08C2702A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08C2EA28	2_2_08C2EA28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08C265D2	2_2_08C265D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08C28792	2_2_08C28792
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08C2B5A8	2_2_08C2B5A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08C2E760	2_2_08C2E760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08C28561	2_2_08C28561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08C28570	2_2_08C28570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08C25918	2_2_08C25918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08C23538	2_2_08C23538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08D00040	2_2_08D00040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08D0000A	2_2_08D0000A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08D1E3F0	2_2_08D1E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08D18630	2_2_08D18630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08D1862E	2_2_08D1862E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08D1E968	2_2_08D1E968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 2_2_08D1F510	2_2_08D1F510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0040BA10	11_2_0040BA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0040E360	11_2_0040E360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00401040	11_2_00401040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00446040	11_2_00446040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0041A855	11_2_0041A855
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00446810	11_2_00446810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00410020	11_2_00410020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00432830	11_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004328D0	11_2_004328D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004298F0	11_2_004298F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004388A0	11_2_004388A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004400A0	11_2_004400A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0042F156	11_2_0042F156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00436162	11_2_00436162
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00446170	11_2_00446170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00443100	11_2_00443100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0043290E	11_2_0043290E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00444115	11_2_00444115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00413913	11_2_00413913
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0043291D	11_2_0043291D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004089D0	11_2_004089D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004349E0	11_2_004349E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00410990	11_2_00410990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0040A1A0	11_2_0040A1A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004201AB	11_2_004201AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004381BB	11_2_004381BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0040CA40	11_2_0040CA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0043AA40	11_2_0043AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00447250	11_2_00447250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00445A52	11_2_00445A52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00421260	11_2_00421260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00429210	11_2_00429210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00446230	11_2_00446230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00433ADD	11_2_00433ADD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0042C2E0	11_2_0042C2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00446AE0	11_2_00446AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004462F0	11_2_004462F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00440A80	11_2_00440A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00402AB0	11_2_00402AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00421AB0	11_2_00421AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0041535E	11_2_0041535E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0040EB00	11_2_0040EB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0041CB11	11_2_0041CB11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0043EB10	11_2_0043EB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0043F320	11_2_0043F320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0043C338	11_2_0043C338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004093C0	11_2_004093C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004503DE	11_2_004503DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004403E0	11_2_004403E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004363F8	11_2_004363F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00426380	11_2_00426380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00433396	11_2_00433396
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0041ABA1	11_2_0041ABA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00429BA0	11_2_00429BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0041FBB0	11_2_0041FBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0042C3BD	11_2_0042C3BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00438C40	11_2_00438C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00424C60	11_2_00424C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004034C0	11_2_004034C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00437CC1	11_2_00437CC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00407CF0	11_2_00407CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0043ACF0	11_2_0043ACF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0042D48E	11_2_0042D48E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0041B4A4	11_2_0041B4A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0043D4B2	11_2_0043D4B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00429D50	11_2_00429D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0043ED70	11_2_0043ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00421D10	11_2_00421D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0042CD16	11_2_0042CD16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00429D2E	11_2_00429D2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00419D3C	11_2_00419D3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004475C0	11_2_004475C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0043DD8B	11_2_0043DD8B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0041DD90	11_2_0041DD90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0040C5A0	11_2_0040C5A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004215A0	11_2_004215A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004235B0	11_2_004235B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00408E40	11_2_00408E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0043F640	11_2_0043F640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0041C65D	11_2_0041C65D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00403E60	11_2_00403E60

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 00418F30 appears 102 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 0040B190 appears 53 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7456 -s 748

Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1735534870.0000000005F50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRP8PV.dll, vs SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000000.857609017.0000000000409000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNamexrecovery_installer.exe4 vs SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1737699609.0000000006A91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAimtars.dll0 vs SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1724443177.0000000003EC4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNamexrecovery_installer.exe4 vs SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1708773788.0000000002891000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNamexrecovery_installer.exe4 vs SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1708773788.0000000002891000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCFF Explorer.exe: vs SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1724443177.0000000003D84000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNamexrecovery_installer.exe4 vs SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1740923780.0000000007C10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAimtars.dll0 vs SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1724443177.00000000038F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCFF Explorer.exe: vs SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1724443177.0000000003A12000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCFF Explorer.exe: vs SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1707365503.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Binary or memory string: OriginalFileNamexrecovery_installer.exe4 vs SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe

Source: classification engine

Classification label: mal100.troj.evad.winEXE@13/8@12/3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_004349E0 CoCreateInstance,

11_2_004349E0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\fontdrvhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-d6b81a34-38b8-2ff938-1f616d5495c4}
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7952

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c955033e-8aec-4e7b-8cd4-ed41ef18e9b8

Jump to behavior

Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000000.857609017.0000000000409000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1724443177.0000000003EC4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1724443177.0000000003D84000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000002.00000002.1817726454.000000000045C000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE IF NOT EXISTS HeartRates (Id INTEGER PRIMARY KEY, Reading INTEGER);

Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Virustotal: Detection: 73%
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7456 -s 748
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"
Source: C:\Windows\System32\fontdrvhost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7952 -s 148
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe

Static file information: File size 1261056 > 1048576

Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wkernel32.pdb source: fontdrvhost.exe, 0000000C.00000003.1719160795.0000000005030000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1719334815.0000000005150000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: fontdrvhost.exe, 0000000C.00000003.1720204321.0000000005250000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1719939750.0000000005030000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: fontdrvhost.exe, 0000000C.00000003.1717905553.0000000005220000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1717597471.0000000005030000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: fontdrvhost.exe, 0000000C.00000003.1718292734.0000000005030000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1718614976.00000000051D0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: fontdrvhost.exe, 0000000C.00000003.1717905553.0000000005220000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1717597471.0000000005030000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: fontdrvhost.exe, 0000000C.00000003.1718292734.0000000005030000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1718614976.00000000051D0000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbUGP source: fontdrvhost.exe, 0000000C.00000003.1719160795.0000000005030000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1719334815.0000000005150000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: fontdrvhost.exe, 0000000C.00000003.1720204321.0000000005250000.00000004.00000001.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1719939750.0000000005030000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, Ny7g.cs

.Net Code: NewLateBinding.LateCall(objectValue2, (Type)null, "Invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_05FB96FB pushfd ; ret	0_2_05FB9701
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0637D3E6 push es; retf	0_2_0637D3F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0637D3E1 push es; ret	0_2_0637D3E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0637D3DA push es; iretd	0_2_0637D3E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0637D3CE push ecx; retf	0_2_0637D3D1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0637D432 push ecx; iretd	0_2_0637D435
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0637A0E1 push es; ret	0_2_0637A0F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0637A132 push es; iretd	0_2_0637A134
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_06412FD6 push es; ret	0_2_06412FD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_064157F5 push es; retf	0_2_064157F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07BEE240 push esp; ret	0_2_07BEE241
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07BEEFC0 pushfd ; retf	0_2_07BEEFC1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07C08E86 push cs; iretd	0_2_07C08E89
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07C0D62B push ebp; iretd	0_2_07C0D638
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F57BE4 push ds; iretd	0_2_07F57BE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F57FB1 push ss; ret	0_2_07F57FB4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F56567 push 06BAEEA2h; ret	0_2_07F5656C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F5355A push ss; retf	0_2_07F53568
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F5363F push esp; ret	0_2_07F53640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F68F3F push ebx; retf	0_2_07F68F4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F6C0F4 push ecx; retf	0_2_07F6C0F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_07F8C4C5 push eax; iretd	0_2_07F8C4CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_089092A3 push eax; iretd	0_2_089092A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0890D01A push ecx; ret	0_2_0890D18E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0890D03E push ecx; ret	0_2_0890D18E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_088F7F05 push ebp; ret	0_2_088F7F06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_08908F39 push edx; retf	0_2_08908F4B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0890C926 push es; retf	0_2_0890C927
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_08908B2E pushad ; iretd	0_2_08908B3D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_0890934B pushad ; iretd	0_2_0890934C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Code function: 0_2_08937B71 push cs; iretd	0_2_08937B72

Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, a9GE.cs	High entropy of concatenated method names: 'Ep9n', 'b9T4', 'Ad18', 'Ry2a', 'Dx2i', 'g5C4', 'e1K7', 'An6b', 'j0QG', 'Wf2m'
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, s3R1.cs	High entropy of concatenated method names: 'Bd1j', 'MoveNext', 'Wb34', 'SetStateMachine', 'k1LJ', 'q0YQ', 't0R4', 'Yi6p', 'y9PM', 'z0T2'
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, i8F2.cs	High entropy of concatenated method names: 'Zr4q', 'k6HN', 'j3H1', 'k6Q3', 't3Q0', 'Sa0s', 'z3YE', 'Fi8p', 'Eo39', 'k5JW'

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	File opened: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe\:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe\:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe PID: 5884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 5328, type: MEMORYSTR

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Windows\SysWOW64\fontdrvhost.exe

Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Jump to behavior

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity
Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity

Query firmware table information (likely to detect VMs)

Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	System information queried: FirmwareTableInformation	Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	API/Special instruction interceptor: Address: 7FFC1B60D044
Source: C:\Windows\SysWOW64\fontdrvhost.exe	API/Special instruction interceptor: Address: 7FFC1B60D044
Source: C:\Windows\SysWOW64\fontdrvhost.exe	API/Special instruction interceptor: Address: 53CB83A

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Windows\SysWOW64\fontdrvhost.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: fontdrvhost.exe, 0000000C.00000002.1820480662.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: E.EXEDNSPY.EXEPETOOLS.EXEAUTORUNSC.EXERESOURCEHACKER.EXEFILEMON.EXEREGMON.EXEWINDANR.EXEWINDBG.EXETIFI
Source: fontdrvhost.exe, 0000000C.00000002.1820480662.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: RUNS.EXEDUMPCAP.EXEDE4DOT.EXEHOOKEXPL
Source: fontdrvhost.exe, 0000000C.00000002.1820480662.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1708773788.0000000002891000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1724443177.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1724443177.0000000003A12000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ORIGINALFILENAMECFF EXPLORER.EXE:
Source: fontdrvhost.exe, 0000000C.00000002.1820480662.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1708773788.0000000002891000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1724443177.00000000038F9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1724443177.0000000003A12000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INTERNALNAMECFF EXPLORER.EXE
Source: fontdrvhost.exe, 0000000C.00000002.1820480662.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDBG.EXE
Source: fontdrvhost.exe, 0000000C.00000002.1820480662.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PETOOLS.EXE
Source: fontdrvhost.exe, 0000000C.00000002.1820480662.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: fontdrvhost.exe, 0000000C.00000002.1820480662.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: fontdrvhost.exe, 0000000C.00000002.1820480662.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WINDANR.EXE
Source: fontdrvhost.exe, 0000000C.00000002.1820480662.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE
Source: fontdrvhost.exe, 0000000C.00000002.1820480662.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASSO.EXEWIRESHARK.EXEFIDDLER EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMU""
Source: fontdrvhost.exe, 0000000C.00000002.1820480662.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Memory allocated: 25A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Memory allocated: 2890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Memory allocated: 2610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Memory allocated: 6A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Memory allocated: 7A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Memory allocated: 7F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Memory allocated: 8F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Memory allocated: 9280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 6FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 7FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 8420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 9420000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\fontdrvhost.exe	File opened / queried: VBoxGuest	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	File opened / queried: C:\Windows\SysWOW64\vboxservice.exe	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	File opened / queried: C:\Windows\SysWOW64\vboxtray.exe	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxMouse.sys	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	File opened / queried: VBoxTrayIPC	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxSF.sys	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	File opened / queried: C:\Windows\SysWOW64\vboxhook.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosDate	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	File opened / queried: \pipe\VBoxTrayIPC	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxVideo.sys	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	File opened / queried: VBoxMiniRdrDN	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	File opened / queried: C:\Windows\SysWOW64\drivers\VBoxGuest.sys	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Window / User API: threadDelayed 2449	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Window / User API: threadDelayed 7405	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 1347	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 7639	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -99671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -99125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -99015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -98796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -98687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -98577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -98414s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -98309s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -98202s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -98087s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -97967s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -97780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -97671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -97562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -97449s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -97343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -97234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -97121s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -97015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -96906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -96796s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -96687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -96577s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -96468s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -96359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -96250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -96140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -96031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -95921s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -95812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -95703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -95593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -95484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -95187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -95078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -94968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -94859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -94749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -94640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -94530s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe TID: 5876	Thread sleep time: -94421s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -99864s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -99735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -99625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -99515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -99406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -99141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -98875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -98607s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -98500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -98391s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -98266s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -98156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -98047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -97937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -97828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -97719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -97609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -97500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -97391s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -97266s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -97141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -97031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -96922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -96813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -96688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -96563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -96453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -96344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -96219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -96103s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -96000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -95891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -95781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -95672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -95562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -95453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -95344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -95219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -95109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -95000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -94890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -94781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7408	Thread sleep time: -94672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7532	Thread sleep time: -57000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7404	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7392	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7940	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard

Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\fontdrvhost.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 99671	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 98796	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 98577	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 98414	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 98309	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 98202	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 98087	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 97967	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 97780	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 97671	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 97449	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 97343	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 97234	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 97121	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 97015	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 96906	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 96796	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 96687	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 96577	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 96468	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 96359	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 96250	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 96140	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 96031	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 95921	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 95812	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 95703	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 95593	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 95484	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 95187	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 95078	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 94968	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 94859	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 94749	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 94640	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 94530	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Thread delayed: delay time: 94421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99864	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 99141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98607	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 98047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 97031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96103	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 96000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 95000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 94890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 94781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 94672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.18.dr	Binary or memory string: VMware
Source: fontdrvhost.exe, 0000000C.00000003.1757556386.0000000002F6C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1760243289.0000000002F6C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1769110220.0000000002F6C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1757614940.0000000002F6F000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1762381844.0000000002F6C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1751331142.0000000002F6C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1769175017.0000000002F6F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PnPEntityMicrosoft Hyper-V Virtualization Infrastructure Driver{4d36e97d-e325-11ce-bfc1-08002be10318}Win32_PnPEntityMicrosoft Hyper-V Virtualization Infrastructure DriverROOT\VID\0000System.String[]MicrosoftMicrosoft Hyper-V Virtualization Infrastructure DriverSystemROOT\VID\0000VidOKWin32_ComputerSystemuser-PCLMEM@
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1737699609.0000000006A91000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1740923780.0000000007C10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: 1234093728qemu
Source: fontdrvhost.exe, 0000000C.00000003.1765407047.0000000005031000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Toolsm7Z
Source: Amcache.hve.18.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000000B.00000002.1858849451.0000000000AC0000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000002.1820674864.0000000002F6C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000002.1820674864.0000000002EFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1740923780.0000000007C10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: vmsrvc
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1737699609.0000000006A91000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1740923780.0000000007C10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: 1474865605QEMU
Source: Amcache.hve.18.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1740923780.0000000007C10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: 77930674-vmware pointing device
Source: fontdrvhost.exe, 0000000C.00000003.1748242610.0000000002F70000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1751331142.0000000002F6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PnPEntityMicrosoft Hyper-V Generation Counter{4d36e97d-e325-11ce-bfc1-08002be10318}System.String[]Win32_PnPEntityMicrosoft Hyper-V Generation CounterACPI\VMW0001\7System.String[]MicrosoftMicrosoft Hyper-V Generation CounterSystemACPI\VMW0001\7gencounterOKWin32_ComputerSystemuser-PC
Source: Amcache.hve.18.dr	Binary or memory string: vmci.sys
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1740923780.0000000007C10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: vmware
Source: fontdrvhost.exe, 0000000C.00000002.1820674864.0000000002F83000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1769038277.0000000002F83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ceMicrosoft-Windows-Hyper-V-HypervisorMicrosoft-Windows-IphlpsvcMicrosoft-Windows-Isolated
Source: fontdrvhost.exe, 0000000C.00000003.1769038277.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000002.1820674864.0000000002F83000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1769038277.0000000002F83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft-Windows-Hyper-V-Hypervisor
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1737699609.0000000006A91000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1740923780.0000000007C10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: vmusrvc
Source: Amcache.hve.18.dr	Binary or memory string: VMware20,1
Source: fontdrvhost.exe, 0000000C.00000003.1748242610.0000000002F70000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1751331142.0000000002F6C000.00000004.00000020.00020000.00000000.sdmp, Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.18.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1740923780.0000000007C10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: vmtools
Source: Amcache.hve.18.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: fontdrvhost.exe, 0000000C.00000003.1757556386.0000000002F6C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000002.1820674864.0000000002F6C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1760243289.0000000002F6C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1769110220.0000000002F6C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1757614940.0000000002F6F000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1762381844.0000000002F6C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1751331142.0000000002F6C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1769175017.0000000002F6F000.00000004.00000020.00020000.00000000.sdmp, Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.18.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.18.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.18.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: AddInProcess32.exe, 00000002.00000002.1819536455.00000000010E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
Source: fontdrvhost.exe, 0000000C.00000003.1769038277.0000000002F7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oft-Windows-Devices-BackgroundMicrosoft-Windows-DfsSvcMicrosoft-Windows-Dhcp-ClientMicrosoft-Windows-DHCPv6-ClientMicrosoft-Windows-Diagnostics-NetworkingMicrosoft-Windows-Directory-Services-SAMMicrosoft-Windows-DiskDiagnosticMicrosoft-Windows-DistributedCOMMicrosoft-Windows-DNS-ClientMicrosoft-Windows-DriverFrameworks-UserModeMicrosoft-Windows-EnhancedStorage-EhStorTcgDrvMicrosoft-Windows-EventCollectorMicrosoft-Windows-EventlogMicrosoft-Windows-exFAT-SQMMicrosoft-Windows-FailoverClustering-ClientMicrosoft-Windows-Fat-SQMMicrosoft-Windows-Fault-Tolerant-HeapMicrosoft-Windows-FilterManagerMicrosoft-Windows-FirewallMicrosoft-Windows-FMSMicrosoft-Windows-FunctionDiscoveryHostMicrosoft-Windows-GPIO-ClassExtensionMicrosoft-Windows-GroupPolicyMicrosoft-Windows-HALMicrosoft-Windows-HttpEventMicrosoft-Windows-HttpServiceMicrosoft-Windows-Hyper-V-HypervisorMicrosoft-Windows-IphlpsvcMicrosoft-Windows-IsolatedUserModeMicrosoft-Windows-Kernel-BootMicrosoft-Windows-Kernel-GeneralMicrosoft-Windows-Kernel-Interrupt-SteeringMicrosoft-Windows-Kernel-IOMicrosoft-Windows-Kernel-PnPMicrosoft-Windows-Kernel-PowerMicrosoft-Windows-Kernel-Processor-PowerMicrosoft-Windows-Kernel-TmMicrosoft-Windows-Kernel-WHEAMicrosoft-Windows-Kernel-XDVMicrosoft-Windows-LanguagePackSetupMicrosoft-Windows-Memory-Diagnostic-Task-HandlerMicrosoft-Windows-MemoryDiagnostics-ResultsMicrosoft-Windows-MemoryDiagnostics-ScheduleMicrosoft-Windows-MountMgrMicrosoft-Windows-NDISMicrosoft-Windows-NdisImPlatformSysEvtProviderMicrosoft-Windows-NetworkBridgeMicrosoft-Windows-NtfsMicrosoft-Windows-Ntfs-UBPMMicrosoft-Windows-OfflineFilesMicrosoft-Windows-OverlayFilterMicrosoft-Windows-PersistentMemory-NvdimmMicrosoft-Windows-PersistentMemory-PmemDiskMicrosoft-Windows-Power-Meter-PollingMicrosoft-Windows-Power-TroubleshooterMicrosoft-Windows-ReFSMicrosoft-Windows-ReFS-v1Microsoft-Windows-ResetEngMicrosoft-Windows-Resource-Exhaustion-DetectorMicrosoft-Windows-ResourcePublicationMicrosoft-Windows-SCPNPMicrosoft-Windows-Serial-ClassExtensionMicrosoft-Windows-Serial-ClassExtension-V2Microsoft-Windows-ServicingMicrosoft-Windows-SetupMicrosoft-Windows-SetupPlatformMicrosoft-Windows-SPB-ClassExtensionMicrosoft-Windows-SPB-HIDI2CMicrosoft-Windows-Spell-CheckingMicrosoft-Windows-SpellCheckerMicrosoft-Windows-StartupRepairMicrosoft-Windows-Subsys-SMSSMicrosoft-Windows-TaskSchedulerMicrosoft-Windows-TerminalServices-LocalSessionManagerMicrosoft-Windows-TerminalServices-RemoteConnectionManagerMicrosoft-Windows-Time-ServiceMicrosoft-Windows-TPM-WMIMicrosoft-Windows-USB-CCIDMicrosoft-Windows-USB-MAUSBHOSTMicrosoft-Windows-USB-USBHUB3Microsoft-Windows-USB-USBXHCIMicrosoft-Windows-UserModePowerServiceMicrosoft-Windows-UserPnpMicrosoft-Windows-WHEA-LoggerMicrosoft-Windows-Windows Firewall With Advanced SecurityMicrosoft-Windows-WindowsToGo-StartupOptionsMicrosoft-Windows-WindowsUpdateClientMicrosoft-Windows-WininitMicrosoft-Windows-WinlogonMicrosoft-Windows-WLAN-AutoConfigMicrosoft-Windows-WMPNSS-Servicemlx4_busmouclass
Source: Amcache.hve.18.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1737699609.0000000006A91000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1740923780.0000000007C10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VirtualMachine
Source: Amcache.hve.18.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1740923780.0000000007C10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: vmware svga
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual USB Mouse
Source: fontdrvhost.exe, 0000000C.00000002.1820674864.0000000002F6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure 8
Source: fontdrvhost.exe, 0000000C.00000002.1820674864.0000000002F83000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 0000000C.00000003.1769038277.0000000002F83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HMicrosoft-Windows-Hyper-V-Hypervisor
Source: Amcache.hve.18.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1737699609.0000000006A91000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1740923780.0000000007C10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: 18292495#Microsoft Hyper-V
Source: fontdrvhost.exe, 0000000C.00000003.1748284620.0000000002F2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\pipe\VBoxTrayIPC*
Source: Amcache.hve.18.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.18.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.18.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1737699609.0000000006A91000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1740923780.0000000007C10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VirtualMachineDetector
Source: Amcache.hve.18.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: fontdrvhost.exe, 0000000C.00000003.1769110220.0000000002F2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmciVQ
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1740923780.0000000007C10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: fontdrvhost.exe, 0000000C.00000003.1765407047.0000000005031000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.18.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: fontdrvhost.exe, 0000000C.00000002.1820674864.0000000002F6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_PnPEntityMicrosoft Hyper-V Virtualization Infrastructure Driver{4d36e97d-e325-11ce-bfc1-08002be10318}Win32_PnPEntityMicrosoft Hyper-V Virtualization Infrastructure 8
Source: Amcache.hve.18.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1707365503.0000000000BF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.18.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.18.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.18.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: fontdrvhost.exe, 0000000C.00000003.1719939750.0000000005030000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: Amcache.hve.18.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe, 00000000.00000002.1740923780.0000000007C10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: fontdrvhost.exe, 0000000C.00000003.1719939750.0000000005030000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: AddInProcess32.exe, 0000000B.00000002.1859737649.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW#J1
Source: fontdrvhost.exe, 0000000C.00000002.1820674864.0000000002F6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ROOT\VID\0000System.String[]MicrosoftMicrosoft Hyper-V Virtualization Infrastructure DriverSyste

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 11_2_00444660 LdrInitializeThunk,

11_2_00444660

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 472000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 4B6000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: D64008	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 449000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 478000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47C000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47E000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 969008	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Windows\SysWOW64\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\fontdrvhost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: fontdrvhost.exe, 0000000C.00000002.1820480662.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: fontdrvhost.exe, 0000000C.00000002.1820480662.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Wireshark.exe
Source: Amcache.hve.18.dr, Amcache.hve.LOG1.18.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.18.dr, Amcache.hve.LOG1.18.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.18.dr, Amcache.hve.LOG1.18.dr	Binary or memory string: MsMpEng.exe
Source: fontdrvhost.exe, 0000000C.00000002.1820480662.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regmon.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1857497759.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1843850127.00000000042FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1843850127.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 0000000C.00000003.1716528239.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1721376498.0000000002840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1820937664.0000000003030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1857497759.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1843850127.00000000042FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1843850127.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RHADAMANTHYS Stealer

Source: Yara match	File source: 0000000C.00000003.1716528239.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1721376498.0000000002840000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1820937664.0000000003030000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	31 Windows Management Instrumentation	1 Valid Accounts	1 Valid Accounts	1 Masquerading	21 Input Capture	641 Security Software Discovery	Remote Services	21 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Access Token Manipulation	1 Valid Accounts	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	211 Process Injection	1 Access Token Manipulation	Security Account Manager	261 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Disable or Modify Tools	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	261 Virtualization/Sandbox Evasion	LSA Secrets	233 System Information Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	211 Process Injection	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Deobfuscate/Decode Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	3 Obfuscated Files or Information	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Software Packing	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 DLL Side-Loading	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Rhadamanthys

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
SecuriteInfo.com.Trojan.PWS.Lumma.1819.32341.28310.exe