Windows Analysis Report
SoftWare(1).exe1.exe

Overview

General Information

Sample name: SoftWare(1).exe1.exe
Analysis ID: 1637270
MD5: dca5a4d306b6166c5a4d4756707712e8
SHA1: 62fada94166304380dcec9a7a980a359ba3ba101
SHA256: ba4bd6d7a2644c76ce30c905804302afdb1d0f5c6110bdedb7d4ea400f5c74bf
Tags: exeuser-TornadoAV_dev
Infos:

Detection

LummaC Stealer
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SoftWare(1).exe1.exe Avira: detected
Antivirus detection for URL or domain
Source: https://citydisco.bet:443/gdJIS Avira URL Cloud: Label: malware
Source: crosshairc.life/dAnjhw Avira URL Cloud: Label: malware
Source: https://citydisco.bet/gdJIS Avira URL Cloud: Label: malware
Found malware configuration
Source: 1.2.SoftWare(1).exe1.exe.400000.1.unpack Malware Configuration Extractor: LummaC {"C2 url": ["citydisco.bet/gdJIS", "crosshairc.life/dAnjhw", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "72ccc69330ea96770a98fad11f3418f4c49712a7e9c8cbc0fec1947b"}
Sample uses string decryption to hide its real strings
Source: 1.2.SoftWare(1).exe1.exe.400000.1.unpack String decryptor: citydisco.bet/gdJIS
Source: 1.2.SoftWare(1).exe1.exe.400000.1.unpack String decryptor: crosshairc.life/dAnjhw
Source: 1.2.SoftWare(1).exe1.exe.400000.1.unpack String decryptor: mrodularmall.top/aNzS
Source: 1.2.SoftWare(1).exe1.exe.400000.1.unpack String decryptor: jowinjoinery.icu/bdWUa
Source: 1.2.SoftWare(1).exe1.exe.400000.1.unpack String decryptor: legenassedk.top/bdpWO
Source: 1.2.SoftWare(1).exe1.exe.400000.1.unpack String decryptor: htardwarehu.icu/Sbdsa
Source: 1.2.SoftWare(1).exe1.exe.400000.1.unpack String decryptor: cjlaspcorne.icu/DbIps
Source: 1.2.SoftWare(1).exe1.exe.400000.1.unpack String decryptor: bugildbett.top/bAuz
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0041C833 CryptUnprotectData,CryptUnprotectData, 1_2_0041C833
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0041BCC0 CryptUnprotectData, 1_2_0041BCC0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0041C833 CryptUnprotectData,CryptUnprotectData, 1_2_0041C833
Uses 32bit PE files
Source: SoftWare(1).exe1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: SoftWare(1).exe1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00348ECE FindFirstFileExW, 0_2_00348ECE
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00348F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00348F7F
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00348ECE FindFirstFileExW, 1_2_00348ECE
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00348F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose, 1_2_00348F7F
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx ebx, byte ptr [esp+eax+00000104h] 1_2_0041C833
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], 6D58C181h 1_2_00421890
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-4926828Eh] 1_2_00421890
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax+04h] 1_2_00413143
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], CF91E6EAh 1_2_0044A106
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then lea ecx, dword ptr [eax+eax] 1_2_00412AF8
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then lea ecx, dword ptr [eax-40000000h] 1_2_00412AF8
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then lea edx, dword ptr [ecx+ecx] 1_2_00412AF8
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then cmp word ptr [edi+ebx], 0000h 1_2_0044C2A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx ebx, byte ptr [esp+edi+3E8E80E8h] 1_2_0044D300
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then mov word ptr [ecx], bx 1_2_0044D300
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx eax, byte ptr [esp+ecx+44h] 1_2_00444300
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], esi 1_2_0044C3A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-26h] 1_2_0044C3A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then mov ebp, ebx 1_2_0044C3A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx ecx, di 1_2_0042FE40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-1272D010h] 1_2_0042FE40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-26h] 1_2_0044D7F0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+18h] 1_2_0040EFAE
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then mov word ptr [edi], cx 1_2_00429840
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx edx, byte ptr [00451018h] 1_2_0040F066
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 1_2_00402800
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 1ED597A4h 1_2_004480C0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then mov word ptr [eax], cx 1_2_00410897
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx] 1_2_00410897
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-26h] 1_2_0044D950
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-0D0EF488h] 1_2_0042D92B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh 1_2_004019E0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx edi, byte ptr [esp+edx-51AE6CD0h] 1_2_0044AA55
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then mov dword ptr [esp], 8B8A8924h 1_2_0043F250
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx eax, byte ptr [esp+edx+19DCC0F6h] 1_2_00445250
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx ebx, byte ptr [ebp+edi+00h] 1_2_00445250
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then mov byte ptr [ecx], dl 1_2_00423A70
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then mov byte ptr [edi], cl 1_2_00423A70
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then cmp dword ptr [ebx+esi*8], C446A772h 1_2_0041E21B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-4926821Eh] 1_2_0041E21B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-4926821Eh] 1_2_0041E21B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], 656D2358h 1_2_0041E21B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then jmp eax 1_2_0041E21B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+70h] 1_2_0041E21B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-49268212h] 1_2_0041E21B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx esi, byte ptr [eax] 1_2_00448220
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h 1_2_004292C0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6BB1A2B4h] 1_2_004482E0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax-000000FAh] 1_2_00433A88
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then push eax 1_2_00449B7F
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx ebx, byte ptr [esp+eax+00000104h] 1_2_0041C833
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h] 1_2_0040A320
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx ecx, word ptr [edi+esi*4] 1_2_0040A320
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax-000000FAh] 1_2_00433A88
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+34h] 1_2_00433330
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then mov byte ptr [esi], cl 1_2_00436BE5
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx eax, byte ptr [esp+edx+68h] 1_2_00437BB8
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then mov byte ptr [ecx], dl 1_2_00411C5F
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then add ebp, dword ptr [esp+0Ch] 1_2_00435C60
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then mov dword ptr [esp+08h], ebx 1_2_00445C70
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then mov word ptr [eax], cx 1_2_00410C1B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx] 1_2_00410C1B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx eax, byte ptr [esp+esi+5Ch] 1_2_0042F430
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 1_2_00441480
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+49408C66h] 1_2_00428CB0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 1_2_0044BD46
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then mov byte ptr [eax], cl 1_2_0041EDDC
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+6D3F2F7Eh] 1_2_00420D90
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx edx, byte ptr [eax] 1_2_00448590
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+50h] 1_2_004305B2
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 1_2_0041AE40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then mov byte ptr [edi], cl 1_2_00438E42
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then mov dword ptr [esp+10h], ecx 1_2_00438E42
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then add eax, esi 1_2_00437627
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx edx, byte ptr [ebp+ecx+00h] 1_2_0040CE30
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx ebx, byte ptr [eax+esi] 1_2_0040CE30
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then mov dword ptr [esp+10h], ecx 1_2_00438E39
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx ebp, byte ptr [esp+ecx+0Ah] 1_2_00445ED1
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax] 1_2_00445ED1
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18h] 1_2_004236EB
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then mov byte ptr [ebx], cl 1_2_004386EC
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then mov word ptr [eax], cx 1_2_00432F60
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx edi, byte ptr [esi+edx] 1_2_00432F60
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then mov word ptr [eax], cx 1_2_00432F60
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax] 1_2_0041AF00
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-4926828Ah] 1_2_0041AF00
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1A92C912h] 1_2_0040C710
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-2Ah] 1_2_0044C7D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax+04h] 1_2_00412FDB
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax] 1_2_00446790
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then mov byte ptr [eax], cl 1_2_0041EFAD
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 1_2_00433FB0

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: citydisco.bet/gdJIS
Source: Malware configuration extractor URLs: crosshairc.life/dAnjhw
Source: Malware configuration extractor URLs: mrodularmall.top/aNzS
Source: Malware configuration extractor URLs: jowinjoinery.icu/bdWUa
Source: Malware configuration extractor URLs: legenassedk.top/bdpWO
Source: Malware configuration extractor URLs: htardwarehu.icu/Sbdsa
Source: Malware configuration extractor URLs: cjlaspcorne.icu/DbIps
Source: Malware configuration extractor URLs: bugildbett.top/bAuz
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49712 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49710 -> 188.114.96.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 97Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=J28v2iOMgLZ6sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14912Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8Gs56iC9nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15041Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=X23YBNNYIoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20535Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BVkqoVRd23dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2606Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JkM2XnzkV90aH3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1090Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 135Host: citydisco.bet
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: citydisco.bet
Source: unknown HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 97Host: citydisco.bet
Source: SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org?q=
Source: SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SoftWare(1).exe1.exe, 00000001.00000003.1623669679.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1580306859.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602098251.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1624372039.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000002.1625502494.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602360035.0000000000C13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/
Source: SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602098251.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602360035.0000000000C13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/3
Source: SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602098251.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602360035.0000000000C13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/:
Source: SoftWare(1).exe1.exe, 00000001.00000003.1498548634.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1624044709.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1580093009.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1623669679.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1498327150.0000000000C37000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1498217709.0000000000C36000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1522885823.0000000000C37000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1523213989.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1523610470.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1580306859.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1550248094.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1522902781.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1580607406.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1499635397.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1523274461.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000002.1625535942.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1624372039.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1498172157.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1524423633.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602215909.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/gdJIS
Source: SoftWare(1).exe1.exe, 00000001.00000003.1549986383.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1550356936.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/gdJIS0
Source: SoftWare(1).exe1.exe, 00000001.00000003.1549986383.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/gdJIS4
Source: SoftWare(1).exe1.exe, 00000001.00000003.1623669679.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1624372039.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000002.1625502494.0000000000C14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/gdJIS=.
Source: SoftWare(1).exe1.exe, 00000001.00000003.1580204979.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/gdJISD
Source: SoftWare(1).exe1.exe, 00000001.00000003.1623669679.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1624372039.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602098251.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000002.1625502494.0000000000C14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/gdJISG
Source: SoftWare(1).exe1.exe, 00000001.00000003.1498172157.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/gdJIST
Source: SoftWare(1).exe1.exe, 00000001.00000003.1580306859.0000000000C20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/gdJISl
Source: SoftWare(1).exe1.exe, 00000001.00000003.1623669679.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602098251.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1624372039.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000002.1625502494.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602360035.0000000000C13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/kI
Source: SoftWare(1).exe1.exe, 00000001.00000003.1580306859.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602098251.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602360035.0000000000C13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/m
Source: SoftWare(1).exe1.exe, 00000001.00000002.1625670673.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet:443/gdJIS
Source: SoftWare(1).exe1.exe, 00000001.00000002.1625670673.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1580041579.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet:443/gdJISJAD2
Source: SoftWare(1).exe1.exe, 00000001.00000003.1580041579.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1524404877.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1522858103.0000000000C42000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1523161611.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet:443/gdJISl
Source: SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/app?q=
Source: SoftWare(1).exe1.exe, 00000001.00000003.1524502771.00000000034D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: SoftWare(1).exe1.exe, 00000001.00000003.1524502771.00000000034D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: SoftWare(1).exe1.exe, 00000001.00000003.1524502771.00000000034D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: SoftWare(1).exe1.exe, 00000001.00000003.1524502771.00000000034D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: SoftWare(1).exe1.exe, 00000001.00000003.1524502771.00000000034D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: SoftWare(1).exe1.exe, 00000001.00000003.1524502771.00000000034D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: SoftWare(1).exe1.exe, 00000001.00000003.1524502771.00000000034D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: SoftWare(1).exe1.exe, 00000001.00000003.1524502771.00000000034D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49712 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0043F410 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard, 1_2_0043F410
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0043F410 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard, 1_2_0043F410
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0043FC48 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 1_2_0043FC48
Detected potential crypto function
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_003031F0 0_2_003031F0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00303640 0_2_00303640
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0031A820 0_2_0031A820
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00319020 0_2_00319020
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0032A020 0_2_0032A020
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00333813 0_2_00333813
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0031C010 0_2_0031C010
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00301000 0_2_00301000
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00306070 0_2_00306070
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0032F060 0_2_0032F060
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00314040 0_2_00314040
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_003058A0 0_2_003058A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0031E0A0 0_2_0031E0A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00308090 0_2_00308090
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00310890 0_2_00310890
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00323890 0_2_00323890
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00331890 0_2_00331890
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00304080 0_2_00304080
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0032D080 0_2_0032D080
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_003300D0 0_2_003300D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00332920 0_2_00332920
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00320110 0_2_00320110
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00329100 0_2_00329100
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0034C908 0_2_0034C908
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0030E170 0_2_0030E170
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00333160 0_2_00333160
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00304940 0_2_00304940
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0031C940 0_2_0031C940
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0032F9B0 0_2_0032F9B0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00316180 0_2_00316180
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0031B1E0 0_2_0031B1E0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00305220 0_2_00305220
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00309220 0_2_00309220
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00325220 0_2_00325220
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00320A10 0_2_00320A10
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00326A00 0_2_00326A00
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00328200 0_2_00328200
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00328A50 0_2_00328A50
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00336A54 0_2_00336A54
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00329AB0 0_2_00329AB0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0030EAA0 0_2_0030EAA0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00314290 0_2_00314290
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00302280 0_2_00302280
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0032F2E0 0_2_0032F2E0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0030F2D0 0_2_0030F2D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_003152C0 0_2_003152C0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0030C310 0_2_0030C310
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0030B300 0_2_0030B300
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0031FB70 0_2_0031FB70
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00321370 0_2_00321370
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00320350 0_2_00320350
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00308340 0_2_00308340
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0032EB40 0_2_0032EB40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0031ABA0 0_2_0031ABA0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00306390 0_2_00306390
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00313390 0_2_00313390
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_003173F0 0_2_003173F0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0031F3D0 0_2_0031F3D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00305C20 0_2_00305C20
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00341420 0_2_00341420
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0033B41A 0_2_0033B41A
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00333477 0_2_00333477
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00325C60 0_2_00325C60
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00328450 0_2_00328450
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00302C40 0_2_00302C40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0031EC40 0_2_0031EC40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00328C40 0_2_00328C40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_003054A0 0_2_003054A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00310490 0_2_00310490
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00333C90 0_2_00333C90
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00306C80 0_2_00306C80
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00316480 0_2_00316480
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00325480 0_2_00325480
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00332480 0_2_00332480
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0031CCE0 0_2_0031CCE0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0030E4C0 0_2_0030E4C0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00313CC0 0_2_00313CC0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00307D30 0_2_00307D30
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0030F530 0_2_0030F530
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0030AD30 0_2_0030AD30
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00339536 0_2_00339536
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00319500 0_2_00319500
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0031D560 0_2_0031D560
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0031DD50 0_2_0031DD50
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0032FD50 0_2_0032FD50
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00318540 0_2_00318540
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_003155B0 0_2_003155B0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0032EDB0 0_2_0032EDB0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00309580 0_2_00309580
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0032DD80 0_2_0032DD80
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0032F5D0 0_2_0032F5D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_003335C0 0_2_003335C0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0031B630 0_2_0031B630
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00329630 0_2_00329630
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00317620 0_2_00317620
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00310E20 0_2_00310E20
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00330620 0_2_00330620
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00304660 0_2_00304660
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00317E50 0_2_00317E50
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00308640 0_2_00308640
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00316E40 0_2_00316E40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0031C6A0 0_2_0031C6A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00312E90 0_2_00312E90
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00328690 0_2_00328690
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00332E90 0_2_00332E90
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0032B680 0_2_0032B680
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_003126F0 0_2_003126F0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00331EF0 0_2_00331EF0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0030E730 0_2_0030E730
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00319720 0_2_00319720
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00329F00 0_2_00329F00
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0031FF70 0_2_0031FF70
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00301790 0_2_00301790
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00316790 0_2_00316790
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0030B780 0_2_0030B780
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00320F80 0_2_00320F80
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0034E782 0_2_0034E782
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00309FF0 0_2_00309FF0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_003067D0 0_2_003067D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0031A820 1_2_0031A820
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00319020 1_2_00319020
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0032A020 1_2_0032A020
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00333813 1_2_00333813
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0031C010 1_2_0031C010
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00301000 1_2_00301000
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0032F060 1_2_0032F060
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00314040 1_2_00314040
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_003058A0 1_2_003058A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0031E0A0 1_2_0031E0A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00308090 1_2_00308090
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00310890 1_2_00310890
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00323890 1_2_00323890
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00331890 1_2_00331890
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00304080 1_2_00304080
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0032D080 1_2_0032D080
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_003300D0 1_2_003300D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00332920 1_2_00332920
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00320110 1_2_00320110
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00329100 1_2_00329100
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0034C908 1_2_0034C908
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0030E170 1_2_0030E170
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00333160 1_2_00333160
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00304940 1_2_00304940
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0031C940 1_2_0031C940
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0032F9B0 1_2_0032F9B0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00316180 1_2_00316180
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_003031F0 1_2_003031F0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0031B1E0 1_2_0031B1E0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00305220 1_2_00305220
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00309220 1_2_00309220
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00325220 1_2_00325220
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00320A10 1_2_00320A10
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00326A00 1_2_00326A00
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00328200 1_2_00328200
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00328A50 1_2_00328A50
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00336A54 1_2_00336A54
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00329AB0 1_2_00329AB0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0030EAA0 1_2_0030EAA0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00314290 1_2_00314290
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00302280 1_2_00302280
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0032F2E0 1_2_0032F2E0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0030F2D0 1_2_0030F2D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_003152C0 1_2_003152C0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0030C310 1_2_0030C310
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0030B300 1_2_0030B300
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0031FB70 1_2_0031FB70
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00321370 1_2_00321370
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00320350 1_2_00320350
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00308340 1_2_00308340
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0032EB40 1_2_0032EB40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0031ABA0 1_2_0031ABA0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00306390 1_2_00306390
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00313390 1_2_00313390
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_003173F0 1_2_003173F0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0031F3D0 1_2_0031F3D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00305C20 1_2_00305C20
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00341420 1_2_00341420
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0033B41A 1_2_0033B41A
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00333477 1_2_00333477
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00325C60 1_2_00325C60
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00328450 1_2_00328450
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00302C40 1_2_00302C40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0031EC40 1_2_0031EC40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00328C40 1_2_00328C40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_003054A0 1_2_003054A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00310490 1_2_00310490
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00333C90 1_2_00333C90
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00306C80 1_2_00306C80
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00316480 1_2_00316480
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00325480 1_2_00325480
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00332480 1_2_00332480
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0031CCE0 1_2_0031CCE0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0030E4C0 1_2_0030E4C0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00313CC0 1_2_00313CC0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00307D30 1_2_00307D30
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0030F530 1_2_0030F530
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0030AD30 1_2_0030AD30
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00339536 1_2_00339536
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00319500 1_2_00319500
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0031D560 1_2_0031D560
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0031DD50 1_2_0031DD50
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0032FD50 1_2_0032FD50
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00318540 1_2_00318540
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_003155B0 1_2_003155B0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0032EDB0 1_2_0032EDB0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00309580 1_2_00309580
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0032DD80 1_2_0032DD80
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0032F5D0 1_2_0032F5D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_003335C0 1_2_003335C0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0031B630 1_2_0031B630
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00329630 1_2_00329630
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00317620 1_2_00317620
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00310E20 1_2_00310E20
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00330620 1_2_00330620
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00304660 1_2_00304660
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00317E50 1_2_00317E50
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00308640 1_2_00308640
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00303640 1_2_00303640
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00316E40 1_2_00316E40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0031C6A0 1_2_0031C6A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00312E90 1_2_00312E90
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00328690 1_2_00328690
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00332E90 1_2_00332E90
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0032B680 1_2_0032B680
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_003126F0 1_2_003126F0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00331EF0 1_2_00331EF0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0030E730 1_2_0030E730
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00319720 1_2_00319720
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00329F00 1_2_00329F00
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0031FF70 1_2_0031FF70
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00301790 1_2_00301790
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00316790 1_2_00316790
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0030B780 1_2_0030B780
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00320F80 1_2_00320F80
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0034E782 1_2_0034E782
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00309FF0 1_2_00309FF0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_003067D0 1_2_003067D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0041C833 1_2_0041C833
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_004380C8 1_2_004380C8
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_004110F9 1_2_004110F9
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00421890 1_2_00421890
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_004378B8 1_2_004378B8
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0040BA50 1_2_0040BA50
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00412AF8 1_2_00412AF8
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00444300 1_2_00444300
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_004283A0 1_2_004283A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0042CBA0 1_2_0042CBA0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0044C3A0 1_2_0044C3A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0041BCC0 1_2_0041BCC0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00447DF0 1_2_00447DF0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0042FE40 1_2_0042FE40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0044CE10 1_2_0044CE10
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00415EF9 1_2_00415EF9
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0040EFAE 1_2_0040EFAE
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00401040 1_2_00401040
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0041F065 1_2_0041F065
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00417870 1_2_00417870
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00427830 1_2_00427830
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00445830 1_2_00445830
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00449832 1_2_00449832
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00402140 1_2_00402140
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0040D940 1_2_0040D940
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00426150 1_2_00426150
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00451150 1_2_00451150
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00439160 1_2_00439160
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00442168 1_2_00442168
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0040B970 1_2_0040B970
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00451170 1_2_00451170
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00424900 1_2_00424900
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0042D92B 1_2_0042D92B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0045113C 1_2_0045113C
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0040F9C0 1_2_0040F9C0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_004139D0 1_2_004139D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0043B9F9 1_2_0043B9F9
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00412185 1_2_00412185
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00445250 1_2_00445250
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00429A70 1_2_00429A70
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0042020C 1_2_0042020C
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00426A15 1_2_00426A15
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0041E21B 1_2_0041E21B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_004292C0 1_2_004292C0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0044CAE0 1_2_0044CAE0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00408A80 1_2_00408A80
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0044B280 1_2_0044B280
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00431290 1_2_00431290
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00445AA0 1_2_00445AA0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_004512AC 1_2_004512AC
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_004252B0 1_2_004252B0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00402B50 1_2_00402B50
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0041C833 1_2_0041C833
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0040A320 1_2_0040A320
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0040C320 1_2_0040C320
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00416B81 1_2_00416B81
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0044B380 1_2_0044B380
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00411C5F 1_2_00411C5F
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0042D460 1_2_0042D460
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00432407 1_2_00432407
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0043F410 1_2_0043F410
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0042F430 1_2_0042F430
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0043DC31 1_2_0043DC31
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_004384C3 1_2_004384C3
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0040D4D0 1_2_0040D4D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_004434DF 1_2_004434DF
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0041DCDF 1_2_0041DCDF
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0044B4F0 1_2_0044B4F0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00410483 1_2_00410483
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0042F489 1_2_0042F489
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00424C90 1_2_00424C90
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0044BCB6 1_2_0044BCB6
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00409540 1_2_00409540
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00443540 1_2_00443540
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0043155F 1_2_0043155F
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00403560 1_2_00403560
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00425560 1_2_00425560
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00413D09 1_2_00413D09
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0040AD20 1_2_0040AD20
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0043B536 1_2_0043B536
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0041EDDC 1_2_0041EDDC
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0044B580 1_2_0044B580
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00420D90 1_2_00420D90
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00407DA0 1_2_00407DA0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_004305B2 1_2_004305B2
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00433640 1_2_00433640
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00448650 1_2_00448650
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0043C610 1_2_0043C610
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0044B61F 1_2_0044B61F
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00437627 1_2_00437627
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0040CE30 1_2_0040CE30
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0040E6D0 1_2_0040E6D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00444ED0 1_2_00444ED0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00445ED1 1_2_00445ED1
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_004326E0 1_2_004326E0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_004386EC 1_2_004386EC
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00430E93 1_2_00430E93
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00410EAB 1_2_00410EAB
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00403F00 1_2_00403F00
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0043E703 1_2_0043E703
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0041AF00 1_2_0041AF00
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0040C710 1_2_0040C710
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00436729 1_2_00436729
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0042D730 1_2_0042D730
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00408FC0 1_2_00408FC0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0044C7D0 1_2_0044C7D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_004047E2 1_2_004047E2
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_004437A0 1_2_004437A0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: String function: 0041AEF0 appears 102 times
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: String function: 00336F60 appears 102 times
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: String function: 00344014 appears 34 times
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: String function: 0040B350 appears 52 times
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: String function: 0033F1CC appears 46 times
PE / OLE file has an invalid certificate
Source: SoftWare(1).exe1.exe Static PE information: invalid certificate
Uses 32bit PE files
Source: SoftWare(1).exe1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SoftWare(1).exe1.exe Static PE information: Section: .bss ZLIB complexity 1.0003231990014265
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/0@1/1
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00444300 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW, 1_2_00444300
Source: SoftWare(1).exe1.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SoftWare(1).exe1.exe, 00000001.00000003.1498818033.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1467279104.00000000032B4000.00000004.00000800.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1466788883.00000000032F8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File read: C:\Users\user\Desktop\SoftWare(1).exe1.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SoftWare(1).exe1.exe "C:\Users\user\Desktop\SoftWare(1).exe1.exe"
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Process created: C:\Users\user\Desktop\SoftWare(1).exe1.exe "C:\Users\user\Desktop\SoftWare(1).exe1.exe"
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Process created: C:\Users\user\Desktop\SoftWare(1).exe1.exe "C:\Users\user\Desktop\SoftWare(1).exe1.exe" Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: SoftWare(1).exe1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0033711A push ecx; ret 0_2_0033712D
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_003B8FF1 push es; iretd 0_2_003B8FF2
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0033711A push ecx; ret 1_2_0033712D
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_003B8FF1 push es; iretd 1_2_003B8FF2
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_004513DA push edx; retf 1_2_004513FE
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_004554C9 push 00000000h; iretd 1_2_00455520
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00451648 pushad ; retf 1_2_00451689
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00455676 push 00000000h; iretd 1_2_004556EC
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00455766 push 00000000h; ret 1_2_00455770
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_004517FC push ebx; ret 1_2_00451803
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe System information queried: FirmwareTableInformation Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe API coverage: 9.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe TID: 3256 Thread sleep time: -150000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe TID: 3148 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00348ECE FindFirstFileExW, 0_2_00348ECE
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00348F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00348F7F
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00348ECE FindFirstFileExW, 1_2_00348ECE
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00348F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose, 1_2_00348F7F
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499129154.00000000032E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696428655p
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: SoftWare(1).exe1.exe, 00000001.00000003.1624223530.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602150925.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1554884834.0000000000BB9000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000002.1625328858.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: SoftWare(1).exe1.exe, 00000001.00000003.1624350076.0000000000B7F000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000002.1625195430.0000000000B80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1623865263.0000000000B7C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWH
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00449B30 LdrInitializeThunk, 1_2_00449B30
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00336DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00336DE8
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0035F1B4 mov edi, dword ptr fs:[00000030h] 0_2_0035F1B4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0034490C GetProcessHeap, 0_2_0034490C
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00336A2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00336A2C
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00336DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00336DE8
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00336DDC SetUnhandledExceptionFilter, 0_2_00336DDC
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0033EF1E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0033EF1E
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00336A2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00336A2C
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00336DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00336DE8
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_00336DDC SetUnhandledExceptionFilter, 1_2_00336DDC
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 1_2_0033EF1E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0033EF1E

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_0035F1B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 0_2_0035F1B4
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Memory written: C:\Users\user\Desktop\SoftWare(1).exe1.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Process created: C:\Users\user\Desktop\SoftWare(1).exe1.exe "C:\Users\user\Desktop\SoftWare(1).exe1.exe" Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: EnumSystemLocalesW, 0_2_003488AB
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: GetLocaleInfoW, 0_2_003488F6
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_0034899D
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: EnumSystemLocalesW, 0_2_003441F7
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00348238
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: GetLocaleInfoW, 0_2_00348AA3
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: EnumSystemLocalesW, 0_2_00348489
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: GetLocaleInfoW, 0_2_00343CFC
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00348524
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: EnumSystemLocalesW, 0_2_00348777
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: GetLocaleInfoW, 0_2_003487D6
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: EnumSystemLocalesW, 1_2_003488AB
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: GetLocaleInfoW, 1_2_003488F6
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_0034899D
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: EnumSystemLocalesW, 1_2_003441F7
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 1_2_00348238
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: GetLocaleInfoW, 1_2_00348AA3
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: EnumSystemLocalesW, 1_2_00348489
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: GetLocaleInfoW, 1_2_00343CFC
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 1_2_00348524
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: EnumSystemLocalesW, 1_2_00348777
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: GetLocaleInfoW, 1_2_003487D6
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Code function: 0_2_00337827 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00337827
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: SoftWare(1).exe1.exe, 00000001.00000003.1580306859.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1580607406.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1623669679.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1580306859.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1580093009.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: SoftWare(1).exe1.exe PID: 2340, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: SoftWare(1).exe1.exe, 00000001.00000003.1624223530.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum
Source: SoftWare(1).exe1.exe, 00000001.00000003.1624223530.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: SoftWare(1).exe1.exe, 00000001.00000003.1623865263.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: SoftWare(1).exe1.exe, 00000001.00000003.1624223530.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: SoftWare(1).exe1.exe, 00000001.00000003.1554884834.0000000000BB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: SoftWare(1).exe1.exe, 00000001.00000003.1554842772.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3
Source: SoftWare(1).exe1.exe, 00000001.00000003.1624223530.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum
Source: SoftWare(1).exe1.exe, 00000001.00000003.1580306859.0000000000C03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Directory queried: C:\Users\user\Documents\QCOILOQIKC Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Directory queried: C:\Users\user\Documents\QCOILOQIKC Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Directory queried: C:\Users\user\Documents\BNAGMGSPLO Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000001.00000003.1554884834.0000000000BB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SoftWare(1).exe1.exe PID: 2340, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: SoftWare(1).exe1.exe PID: 2340, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.96.3
 citydisco.bet European Union
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
citydisco.bet 188.114.96.3 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
mrodularmall.top/aNzS false
    		high
    bugildbett.top/bAuz false
      		high
      jowinjoinery.icu/bdWUa false
        		high
        legenassedk.top/bdpWO false
          		high
          citydisco.bet/gdJIS false
            		high
            htardwarehu.icu/Sbdsa false
              		high
              https://citydisco.bet/gdJIS false
              • Avira URL Cloud: malware
              		 unknown
              crosshairc.life/dAnjhw true
              • Avira URL Cloud: malware
              		 unknown
              cjlaspcorne.icu/DbIps false
                		high