Windows Analysis Report
ModMenu.exe1.exe

Overview

General Information

Sample name:	ModMenu.exe1.exe
Analysis ID:	1637275
MD5:	a2f90072225a24e54afd50bb7e6d9b22
SHA1:	5e98f0335ae6dce3fe2702202e9fe2f5983fa776
SHA256:	edb5eafb528ee827210fa70e02a614a3332d9ffbb991f5d7b748e85972b44e40
Tags:	exeuser-TornadoAV_dev
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ModMenu.exe1.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://citydisco.bet:443/gdJIS	Avira URL Cloud: Label: malware
Source: crosshairc.life/dAnjhw	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1191730492.0000000000859000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["citydisco.bet/gdJIS", "crosshairc.life/dAnjhw", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "6d41630dec3ef478913e977c36f12bc0bb39167a995fd39f57f4"}

Multi AV Scanner detection for submitted file

Source: ModMenu.exe1.exe	ReversingLabs: Detection: 47%
Source: ModMenu.exe1.exe	Virustotal: Detection: 46%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.5% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1191730492.0000000000859000.00000004.00000020.00020000.00000000.sdmp	String decryptor: citydisco.bet/gdJIS
Source: 00000000.00000002.1191730492.0000000000859000.00000004.00000020.00020000.00000000.sdmp	String decryptor: crosshairc.life/dAnjhw
Source: 00000000.00000002.1191730492.0000000000859000.00000004.00000020.00020000.00000000.sdmp	String decryptor: mrodularmall.top/aNzS
Source: 00000000.00000002.1191730492.0000000000859000.00000004.00000020.00020000.00000000.sdmp	String decryptor: jowinjoinery.icu/bdWUa
Source: 00000000.00000002.1191730492.0000000000859000.00000004.00000020.00020000.00000000.sdmp	String decryptor: legenassedk.top/bdpWO
Source: 00000000.00000002.1191730492.0000000000859000.00000004.00000020.00020000.00000000.sdmp	String decryptor: htardwarehu.icu/Sbdsa
Source: 00000000.00000002.1191730492.0000000000859000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cjlaspcorne.icu/DbIps
Source: 00000000.00000002.1191730492.0000000000859000.00000004.00000020.00020000.00000000.sdmp	String decryptor: bugildbett.top/bAuz

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0041BBA0 CryptUnprotectData,	2_2_0041BBA0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0041FC98 CryptUnprotectData,	2_2_0041FC98
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_004207A3 CryptUnprotectData,	2_2_004207A3

Uses 32bit PE files

Source: ModMenu.exe1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49684 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49686 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49688 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49691 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49694 version: TLS 1.2

Source: ModMenu.exe1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F38ECE FindFirstFileExW,	0_2_00F38ECE
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F38F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00F38F7F
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F38ECE FindFirstFileExW,	2_2_00F38ECE
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F38F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00F38F7F

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then lea eax, dword ptr [esp+48h]	2_2_0041108E
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	2_2_0044D130
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-31864DE8h]	2_2_00430180
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-190DB6A4h]	2_2_00430180
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+47419432h]	2_2_00430180
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+4F38BC58h]	2_2_0042C9A0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+0Ch]	2_2_0044D240
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000E8h]	2_2_004132C9
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_00437B5C
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then push ebp	2_2_004113E5
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+000002B0h]	2_2_0041BBA0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_0041BBA0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_0041BBA0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+4417E88Ch]	2_2_0044DD50
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+4Ch]	2_2_004216A0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-4C3CF2B1h]	2_2_004216A0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx eax, byte ptr [esp+esi-4FC6521Ah]	2_2_00444EA0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+30h]	2_2_0044B775
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+4417E890h]	2_2_0044E7E0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then mov word ptr [esi], cx	2_2_00432F10
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then push 00000000h	2_2_004338F0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_004388A5
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+4417E890h]	2_2_0044E960
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx ebx, bx	2_2_0042F11D
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_00437B5C
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_004309A7
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then jmp ecx	2_2_0044C24B
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-40234BF6h]	2_2_0044BA55
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then mov dword ptr [esp], edx	2_2_0041EA67
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then mov dword ptr [esp], edx	2_2_0041EA67
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then mov edi, dword ptr [esp+04h]	2_2_0041EA67
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+151E8BBCh]	2_2_0041EA67
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then mov eax, ebx	2_2_00424A00
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ebx]	2_2_00446A09
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+64h]	2_2_0043723A
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+238384E0h]	2_2_0043723A
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-20540288h]	2_2_004492D0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-20540288h]	2_2_004492D0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+50h]	2_2_004292E0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then mov word ptr [ebp+00h], cx	2_2_004292E0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_004342A0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+64h]	2_2_004372AB
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+238384E0h]	2_2_004372AB
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_00441AB0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then jmp eax	2_2_0040FABA
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	2_2_0040A340
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	2_2_0040A340
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then jmp ecx	2_2_0044C340
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+151E8BBCh]	2_2_0041E30E
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then mov dword ptr [esp+24h], ecx	2_2_0044A31E
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-000000BAh]	2_2_0044A31E
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-4D3273BFh]	2_2_0042DB32
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-2D8681AAh]	2_2_0042DB32
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+74h]	2_2_0042DB32
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	2_2_00449B90
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-190DB6A0h]	2_2_004313A8
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	2_2_0041DC46
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edx+08h]	2_2_0043247B
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+eax-761C0E5Ch]	2_2_0040E4E2
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	2_2_00431CF8
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then mov word ptr [esi], cx	2_2_00412C81
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+64h]	2_2_00436CAF
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+238384E0h]	2_2_00436CAF
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-5B452AFEh]	2_2_0040D4B0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-4C66CD08h]	2_2_00420D00
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edi+0Dh]	2_2_00420D00
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+ecx+01A3AABCh]	2_2_00420D00
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+3Ch]	2_2_004335E0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+04h]	2_2_004335E0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_0041C590
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_0041C590
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1ED597A4h	2_2_00448DA0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then jmp eax	2_2_0040E5B1
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00430650
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+64h]	2_2_00436E05
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+238384E0h]	2_2_00436E05
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx ebp, word ptr [ecx]	2_2_0044D6A0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	2_2_0041AF40
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	2_2_0041F77A
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then mov word ptr [esi], cx	2_2_00432F10
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then mov dword ptr [esp+08h], ebx	2_2_004467E1
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 93A82FD1h	2_2_00448F90
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-20540284h]	2_2_00448F90
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	2_2_004027B0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then mov byte ptr [edx], al	2_2_00437FB8
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 4x nop then mov byte ptr [edx], al	2_2_00437FBE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: citydisco.bet/gdJIS
Source: Malware configuration extractor	URLs: crosshairc.life/dAnjhw
Source: Malware configuration extractor	URLs: mrodularmall.top/aNzS
Source: Malware configuration extractor	URLs: jowinjoinery.icu/bdWUa
Source: Malware configuration extractor	URLs: legenassedk.top/bdpWO
Source: Malware configuration extractor	URLs: htardwarehu.icu/Sbdsa
Source: Malware configuration extractor	URLs: cjlaspcorne.icu/DbIps
Source: Malware configuration extractor	URLs: bugildbett.top/bAuz

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.10:55860 -> 1.1.1.1:53

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49681 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49688 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49694 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49690 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49684 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49691 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49686 -> 188.114.97.3:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 61Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=G9v2MsJ16BhUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14914Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=fKIreJNBLS1GY9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15056Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=072gcUTqu96User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20405Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Epu0hr81IPM173tO4MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2410Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=jYX96PIR3WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 588966Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 99Host: citydisco.bet

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: citydisco.bet

Source: unknown

HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 61Host: citydisco.bet

Source: ModMenu.exe1.exe, 00000002.00000003.1266808858.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: ModMenu.exe1.exe, 00000002.00000003.1266808858.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: ModMenu.exe1.exe, 00000002.00000003.1266808858.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: ModMenu.exe1.exe, 00000002.00000003.1266808858.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: ModMenu.exe1.exe, 00000002.00000003.1266808858.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ModMenu.exe1.exe, 00000002.00000003.1266808858.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: ModMenu.exe1.exe, 00000002.00000003.1266808858.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: ModMenu.exe1.exe, 00000002.00000003.1266808858.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: ModMenu.exe1.exe, 00000002.00000003.1266808858.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: ModMenu.exe1.exe, 00000002.00000003.1266808858.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: ModMenu.exe1.exe, 00000002.00000003.1266808858.0000000003D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: ModMenu.exe1.exe, 00000002.00000003.1220847481.0000000003D48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: ModMenu.exe1.exe, 00000002.00000003.1276116512.0000000001615000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700
Source: ModMenu.exe1.exe, 00000002.00000003.1276116512.0000000001615000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696497267574.12791&key=1696497267400700002.1&cta
Source: ModMenu.exe1.exe, 00000002.00000003.1220847481.0000000003D48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ModMenu.exe1.exe, 00000002.00000003.1220847481.0000000003D48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ModMenu.exe1.exe, 00000002.00000003.1220847481.0000000003D48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ModMenu.exe1.exe, 00000002.00000002.2441924906.00000000015F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/
Source: ModMenu.exe1.exe, 00000002.00000002.2441924906.00000000015F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/(
Source: ModMenu.exe1.exe, 00000002.00000002.2441924906.00000000015F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/R
Source: ModMenu.exe1.exe, 00000002.00000002.2441924906.00000000015F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/Y
Source: ModMenu.exe1.exe, 00000002.00000002.2442029872.0000000001603000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.2000049878.0000000001636000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1374753456.0000000001603000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1221605832.0000000001636000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000002.2441536898.0000000001577000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.2000241166.0000000001574000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1310590237.0000000001599000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1221622865.0000000001611000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1266146663.0000000001636000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.2000342343.0000000001602000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1275515466.0000000001636000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1244049902.000000000160A000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1276031736.0000000001636000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1267115635.0000000001636000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1310676052.00000000015A9000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1266447619.0000000001636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJIS
Source: ModMenu.exe1.exe, 00000002.00000003.1221622865.0000000001611000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1244049902.000000000160A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJIS(D
Source: ModMenu.exe1.exe, 00000002.00000003.1244049902.000000000160A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISAAAA
Source: ModMenu.exe1.exe, 00000002.00000002.2441536898.0000000001577000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.2000241166.0000000001574000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISP
Source: ModMenu.exe1.exe, 00000002.00000003.1221622865.0000000001611000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISime
Source: ModMenu.exe1.exe, 00000002.00000003.1221605832.0000000001636000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1243857715.0000000001636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISj
Source: ModMenu.exe1.exe, 00000002.00000002.2442029872.0000000001603000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.2000342343.0000000001602000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISs
Source: ModMenu.exe1.exe, 00000002.00000003.1266146663.0000000001636000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1275515466.0000000001636000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1276031736.0000000001636000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1267115635.0000000001636000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1266447619.0000000001636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISz
Source: ModMenu.exe1.exe, 00000002.00000002.2441536898.0000000001577000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.2000241166.0000000001574000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1311087913.0000000001574000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet:443/gdJIS
Source: ModMenu.exe1.exe, 00000002.00000002.2441536898.0000000001577000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.2000241166.0000000001574000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet:443/gdJISJ
Source: ModMenu.exe1.exe, 00000002.00000003.1276116512.0000000001615000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/5b4DH7KHAf2n_mNaLjNi1-UAoKmM9rhqaA9w7FyznHo.10943.jpg
Source: ModMenu.exe1.exe, 00000002.00000003.1276116512.0000000001615000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: ModMenu.exe1.exe, 00000002.00000003.1220847481.0000000003D48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ModMenu.exe1.exe, 00000002.00000003.1220847481.0000000003D48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: ModMenu.exe1.exe, 00000002.00000003.1220847481.0000000003D48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: ModMenu.exe1.exe, 00000002.00000003.1220847481.0000000003D48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: ModMenu.exe1.exe, 00000002.00000003.1276116512.0000000001615000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqrfQHr4pbW4ZbWfpbY7ReNxR3UIG8zInwYIFIVs9eYi
Source: ModMenu.exe1.exe, 00000002.00000003.1275594590.0000000003E5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: ModMenu.exe1.exe, 00000002.00000003.1275594590.0000000003E5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: ModMenu.exe1.exe, 00000002.00000003.1276116512.0000000001615000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15e498ec2b39921665a1fbc954bff40a8106629178eadc64
Source: ModMenu.exe1.exe, 00000002.00000003.1220847481.0000000003D48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: ModMenu.exe1.exe, 00000002.00000003.1220847481.0000000003D48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: ModMenu.exe1.exe, 00000002.00000003.1276116512.0000000001615000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.marriott.com/default.mi?utm_source=admarketplace&utm_medium=cpc&utm_campaign=Marriott_Pr
Source: ModMenu.exe1.exe, 00000002.00000003.1275594590.0000000003E5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.d-GHL1OW1fkT
Source: ModMenu.exe1.exe, 00000002.00000003.1275594590.0000000003E5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.sYEKgG4Or0s6
Source: ModMenu.exe1.exe, 00000002.00000003.1275594590.0000000003E5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: ModMenu.exe1.exe, 00000002.00000003.1275594590.0000000003E5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: ModMenu.exe1.exe, 00000002.00000003.1275594590.0000000003E5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49681
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49681 -> 443

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49684 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49686 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49688 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49691 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49694 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

Code function: 2_2_0043F820 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

2_2_0043F820

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

Code function: 2_2_039D1000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

2_2_039D1000

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

Code function: 2_2_0043F820 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

2_2_0043F820

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

Code function: 2_2_0044004F GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

2_2_0044004F

Detected potential crypto function

Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF31F0	0_2_00EF31F0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF3640	0_2_00EF3640
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F200D0	0_2_00F200D0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF58A0	0_2_00EF58A0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F0E0A0	0_2_00F0E0A0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F00890	0_2_00F00890
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F13890	0_2_00F13890
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F21890	0_2_00F21890
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF4080	0_2_00EF4080
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F1D080	0_2_00F1D080
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF8090	0_2_00EF8090
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F1F060	0_2_00F1F060
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF6070	0_2_00EF6070
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F04040	0_2_00F04040
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F0A820	0_2_00F0A820
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F09020	0_2_00F09020
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F1A020	0_2_00F1A020
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F0C010	0_2_00F0C010
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F23813	0_2_00F23813
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF1000	0_2_00EF1000
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F0B1E0	0_2_00F0B1E0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F1F9B0	0_2_00F1F9B0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F06180	0_2_00F06180
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F23160	0_2_00F23160
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EFE170	0_2_00EFE170
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF4940	0_2_00EF4940
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F0C940	0_2_00F0C940
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F22920	0_2_00F22920
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F10110	0_2_00F10110
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F19100	0_2_00F19100
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F3C908	0_2_00F3C908
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F1F2E0	0_2_00F1F2E0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F052C0	0_2_00F052C0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EFF2D0	0_2_00EFF2D0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F19AB0	0_2_00F19AB0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EFEAA0	0_2_00EFEAA0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F04290	0_2_00F04290
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF2280	0_2_00EF2280
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F18A50	0_2_00F18A50
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F26A54	0_2_00F26A54
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF5220	0_2_00EF5220
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF9220	0_2_00EF9220
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F15220	0_2_00F15220
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F10A10	0_2_00F10A10
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F16A00	0_2_00F16A00
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F18200	0_2_00F18200
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F073F0	0_2_00F073F0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F0F3D0	0_2_00F0F3D0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F0ABA0	0_2_00F0ABA0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F03390	0_2_00F03390
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF6390	0_2_00EF6390
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F0FB70	0_2_00F0FB70
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F11370	0_2_00F11370
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F10350	0_2_00F10350
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF8340	0_2_00EF8340
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F1EB40	0_2_00F1EB40
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EFB300	0_2_00EFB300
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EFC310	0_2_00EFC310
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F0CCE0	0_2_00F0CCE0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EFE4C0	0_2_00EFE4C0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F03CC0	0_2_00F03CC0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF54A0	0_2_00EF54A0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F00490	0_2_00F00490
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F23C90	0_2_00F23C90
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF6C80	0_2_00EF6C80
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F06480	0_2_00F06480
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F15480	0_2_00F15480
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F22480	0_2_00F22480
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F23477	0_2_00F23477
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F15C60	0_2_00F15C60
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F18450	0_2_00F18450
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF2C40	0_2_00EF2C40
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F0EC40	0_2_00F0EC40
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F18C40	0_2_00F18C40
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF5C20	0_2_00EF5C20
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F31420	0_2_00F31420
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F2B41A	0_2_00F2B41A
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F1F5D0	0_2_00F1F5D0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F235C0	0_2_00F235C0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F055B0	0_2_00F055B0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F1EDB0	0_2_00F1EDB0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF9580	0_2_00EF9580
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F1DD80	0_2_00F1DD80
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F0D560	0_2_00F0D560
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F0DD50	0_2_00F0DD50
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F1FD50	0_2_00F1FD50
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F08540	0_2_00F08540
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF7D30	0_2_00EF7D30
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EFF530	0_2_00EFF530
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EFAD30	0_2_00EFAD30
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F09500	0_2_00F09500
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F026F0	0_2_00F026F0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F21EF0	0_2_00F21EF0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F0C6A0	0_2_00F0C6A0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F02E90	0_2_00F02E90
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F18690	0_2_00F18690
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F22E90	0_2_00F22E90
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F1B680	0_2_00F1B680
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF4660	0_2_00EF4660
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F07E50	0_2_00F07E50
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF8640	0_2_00EF8640
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F06E40	0_2_00F06E40
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F0B630	0_2_00F0B630
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F19630	0_2_00F19630
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F07620	0_2_00F07620
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F00E20	0_2_00F00E20
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F20620	0_2_00F20620
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF9FF0	0_2_00EF9FF0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF67D0	0_2_00EF67D0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F06790	0_2_00F06790
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EFB780	0_2_00EFB780
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F3E782	0_2_00F3E782
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F10F80	0_2_00F10F80
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EF1790	0_2_00EF1790
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F0FF70	0_2_00F0FF70
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F09720	0_2_00F09720
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00EFE730	0_2_00EFE730
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F19F00	0_2_00F19F00
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00417900	2_2_00417900
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_004289F0	2_2_004289F0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00430180	2_2_00430180
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0042C9A0	2_2_0042C9A0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0040BA40	2_2_0040BA40
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0044D240	2_2_0044D240
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00444AC0	2_2_00444AC0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_004132C9	2_2_004132C9
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00437B5C	2_2_00437B5C
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0041BBA0	2_2_0041BBA0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0041FC98	2_2_0041FC98
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_004114B0	2_2_004114B0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0044DD50	2_2_0044DD50
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0044AD5B	2_2_0044AD5B
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0040F570	2_2_0040F570
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00415DA8	2_2_00415DA8
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_004216A0	2_2_004216A0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00444EA0	2_2_00444EA0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00436EBD	2_2_00436EBD
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00401040	2_2_00401040
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0042F840	2_2_0042F840
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0044A866	2_2_0044A866
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00407006	2_2_00407006
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00455009	2_2_00455009
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00404812	2_2_00404812
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00444020	2_2_00444020
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0044A0C4	2_2_0044A0C4
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_004298C0	2_2_004298C0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_004210CE	2_2_004210CE
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_004338F0	2_2_004338F0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0044C882	2_2_0044C882
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_004388A5	2_2_004388A5
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0041D152	2_2_0041D152
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0042F11D	2_2_0042F11D
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00437B5C	2_2_00437B5C
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0044D9C0	2_2_0044D9C0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0043F1F0	2_2_0043F1F0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_004309A7	2_2_004309A7
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0040C250	2_2_0040C250
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0041EA67	2_2_0041EA67
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00424A00	2_2_00424A00
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00446A09	2_2_00446A09
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00445A10	2_2_00445A10
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0040EA20	2_2_0040EA20
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00446A33	2_2_00446A33
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0043723A	2_2_0043723A
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_004492D0	2_2_004492D0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_004292E0	2_2_004292E0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00444280	2_2_00444280
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0043CA90	2_2_0043CA90
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0040A340	2_2_0040A340
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00408B60	2_2_00408B60
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0041E30E	2_2_0041E30E
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00402B10	2_2_00402B10
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00432B21	2_2_00432B21
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00414B26	2_2_00414B26
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0042DB32	2_2_0042DB32
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00423BDB	2_2_00423BDB
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_004253A0	2_2_004253A0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_004313A8	2_2_004313A8
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00416BB7	2_2_00416BB7
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0041DC46	2_2_0041DC46
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0043247B	2_2_0043247B
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00426400	2_2_00426400
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00427C10	2_2_00427C10
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00423419	2_2_00423419
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0044C420	2_2_0044C420
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0040BCF0	2_2_0040BCF0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00431CF8	2_2_00431CF8
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0042F480	2_2_0042F480
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0042D495	2_2_0042D495
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_004174A1	2_2_004174A1
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00436CAF	2_2_00436CAF
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0040AD40	2_2_0040AD40
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0040DD5F	2_2_0040DD5F
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00409560	2_2_00409560
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0043CD00	2_2_0043CD00
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0043F500	2_2_0043F500
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0042451E	2_2_0042451E
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0044C520	2_2_0044C520
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00424535	2_2_00424535
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0040CDC0	2_2_0040CDC0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00445DC0	2_2_00445DC0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00403590	2_2_00403590
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0041C590	2_2_0041C590
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0040C5A0	2_2_0040C5A0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00424DB0	2_2_00424DB0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00413DBA	2_2_00413DBA
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00407E50	2_2_00407E50
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_004386CD	2_2_004386CD
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0043EEF0	2_2_0043EEF0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00435EA0	2_2_00435EA0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0044D6A0	2_2_0044D6A0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0043A747	2_2_0043A747
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0040FF70	2_2_0040FF70
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00425710	2_2_00425710
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00403F30	2_2_00403F30
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00454FC3	2_2_00454FC3
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00408FD0	2_2_00408FD0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_0041FFD0	2_2_0041FFD0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_004377ED	2_2_004377ED
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F200D0	2_2_00F200D0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF58A0	2_2_00EF58A0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F0E0A0	2_2_00F0E0A0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F00890	2_2_00F00890
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F13890	2_2_00F13890
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F21890	2_2_00F21890
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF4080	2_2_00EF4080
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F1D080	2_2_00F1D080
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF8090	2_2_00EF8090
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F1F060	2_2_00F1F060
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF6070	2_2_00EF6070
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F04040	2_2_00F04040
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F0A820	2_2_00F0A820
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F09020	2_2_00F09020
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F1A020	2_2_00F1A020
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F0C010	2_2_00F0C010
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F23813	2_2_00F23813
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF1000	2_2_00EF1000
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F0B1E0	2_2_00F0B1E0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF31F0	2_2_00EF31F0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F1F9B0	2_2_00F1F9B0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F06180	2_2_00F06180
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F23160	2_2_00F23160
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EFE170	2_2_00EFE170
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF4940	2_2_00EF4940
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F0C940	2_2_00F0C940
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F22920	2_2_00F22920
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F10110	2_2_00F10110
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F19100	2_2_00F19100
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F3C908	2_2_00F3C908
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F1F2E0	2_2_00F1F2E0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F052C0	2_2_00F052C0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EFF2D0	2_2_00EFF2D0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F19AB0	2_2_00F19AB0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EFEAA0	2_2_00EFEAA0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F04290	2_2_00F04290
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF2280	2_2_00EF2280
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F18A50	2_2_00F18A50
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F26A54	2_2_00F26A54
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF5220	2_2_00EF5220
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF9220	2_2_00EF9220
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F15220	2_2_00F15220
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F10A10	2_2_00F10A10
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F16A00	2_2_00F16A00
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F18200	2_2_00F18200
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F073F0	2_2_00F073F0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F0F3D0	2_2_00F0F3D0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F0ABA0	2_2_00F0ABA0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F03390	2_2_00F03390
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF6390	2_2_00EF6390
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F0FB70	2_2_00F0FB70
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F11370	2_2_00F11370
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F10350	2_2_00F10350
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF8340	2_2_00EF8340
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F1EB40	2_2_00F1EB40
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EFB300	2_2_00EFB300
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EFC310	2_2_00EFC310
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F0CCE0	2_2_00F0CCE0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EFE4C0	2_2_00EFE4C0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F03CC0	2_2_00F03CC0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF54A0	2_2_00EF54A0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F00490	2_2_00F00490
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F23C90	2_2_00F23C90
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF6C80	2_2_00EF6C80
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F06480	2_2_00F06480
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F15480	2_2_00F15480
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F22480	2_2_00F22480
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F23477	2_2_00F23477
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F15C60	2_2_00F15C60
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F18450	2_2_00F18450
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF2C40	2_2_00EF2C40
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F0EC40	2_2_00F0EC40
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F18C40	2_2_00F18C40
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF5C20	2_2_00EF5C20
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F31420	2_2_00F31420
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F2B41A	2_2_00F2B41A
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F1F5D0	2_2_00F1F5D0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F235C0	2_2_00F235C0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F055B0	2_2_00F055B0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F1EDB0	2_2_00F1EDB0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF9580	2_2_00EF9580
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F1DD80	2_2_00F1DD80
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F0D560	2_2_00F0D560
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F0DD50	2_2_00F0DD50
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F1FD50	2_2_00F1FD50
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F08540	2_2_00F08540
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF7D30	2_2_00EF7D30
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EFF530	2_2_00EFF530
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EFAD30	2_2_00EFAD30
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F09500	2_2_00F09500
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F026F0	2_2_00F026F0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F21EF0	2_2_00F21EF0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F0C6A0	2_2_00F0C6A0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F02E90	2_2_00F02E90
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F18690	2_2_00F18690
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F22E90	2_2_00F22E90
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F1B680	2_2_00F1B680
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF4660	2_2_00EF4660
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F07E50	2_2_00F07E50
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF8640	2_2_00EF8640
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF3640	2_2_00EF3640
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F06E40	2_2_00F06E40
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F0B630	2_2_00F0B630
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F19630	2_2_00F19630
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F07620	2_2_00F07620
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F00E20	2_2_00F00E20
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F20620	2_2_00F20620
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF9FF0	2_2_00EF9FF0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF67D0	2_2_00EF67D0
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F06790	2_2_00F06790
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EFB780	2_2_00EFB780
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F3E782	2_2_00F3E782
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F10F80	2_2_00F10F80
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EF1790	2_2_00EF1790
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F0FF70	2_2_00F0FF70
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F09720	2_2_00F09720
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00EFE730	2_2_00EFE730
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F19F00	2_2_00F19F00

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: String function: 00F2F1CC appears 46 times
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: String function: 00F34014 appears 34 times
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: String function: 0041AFF0 appears 117 times
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: String function: 00F26F60 appears 102 times
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: String function: 0040B380 appears 45 times

PE / OLE file has an invalid certificate

Source: ModMenu.exe1.exe

Static PE information: invalid certificate

Uses 32bit PE files

Source: ModMenu.exe1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ModMenu.exe1.exe

Static PE information: Section: .bss ZLIB complexity 1.0003319215238764

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@1/1

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

Code function: 2_2_00444EA0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

2_2_00444EA0

Source: ModMenu.exe1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ModMenu.exe1.exe, 00000002.00000003.1220552647.0000000003D35000.00000004.00000800.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1245034628.0000000003D38000.00000004.00000800.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1245585155.000000000162C000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1221330290.0000000001619000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ModMenu.exe1.exe	ReversingLabs: Detection: 47%
Source: ModMenu.exe1.exe	Virustotal: Detection: 46%

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

File read: C:\Users\user\Desktop\ModMenu.exe1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ModMenu.exe1.exe "C:\Users\user\Desktop\ModMenu.exe1.exe"
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Process created: C:\Users\user\Desktop\ModMenu.exe1.exe "C:\Users\user\Desktop\ModMenu.exe1.exe"
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Process created: C:\Users\user\Desktop\ModMenu.exe1.exe "C:\Users\user\Desktop\ModMenu.exe1.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: ModMenu.exe1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F2711A push ecx; ret	0_2_00F2712D
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00452D7B push 00BB2166h; ret	2_2_00452D80
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00453FFC push ebp; retf	2_2_00453FFD
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F2711A push ecx; ret	2_2_00F2712D

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

System information queried: FirmwareTableInformation

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

Window / User API: threadDelayed 6233

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\ModMenu.exe1.exe TID: 6900	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe TID: 7404	Thread sleep count: 6233 > 30			Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F38ECE FindFirstFileExW,	0_2_00F38ECE
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F38F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00F38F7F
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F38ECE FindFirstFileExW,	2_2_00F38ECE
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F38F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00F38F7F

Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: ModMenu.exe1.exe, 00000002.00000003.2000076388.0000000001599000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1353182130.0000000001599000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1310590237.0000000001599000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000002.2441376377.000000000155C000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000002.2441633090.000000000159C000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1311044403.0000000001599000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.2000391767.000000000159B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: ModMenu.exe1.exe, 00000002.00000003.2000076388.0000000001599000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1353182130.0000000001599000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1310590237.0000000001599000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000002.2441633090.000000000159C000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.1311044403.0000000001599000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.2000391767.000000000159B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW$
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: ModMenu.exe1.exe, 00000002.00000003.1245266887.0000000003D6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696501413p
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696501413
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696501413f
Source: ModMenu.exe1.exe, 00000002.00000003.1245384983.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

Code function: 2_2_0044A9E0 LdrInitializeThunk,

2_2_0044A9E0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

Code function: 0_2_00F26DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00F26DE8

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

Code function: 0_2_00F4F1B4 mov edi, dword ptr fs:[00000030h]

0_2_00F4F1B4

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

Code function: 0_2_00F3490C GetProcessHeap,

0_2_00F3490C

Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F26A2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00F26A2C
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F26DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F26DE8
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F26DDC SetUnhandledExceptionFilter,	0_2_00F26DDC
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 0_2_00F2EF1E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F2EF1E
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F26A2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00F26A2C
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F26DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00F26DE8
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F26DDC SetUnhandledExceptionFilter,	2_2_00F26DDC
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: 2_2_00F2EF1E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00F2EF1E

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

Code function: 0_2_00F4F1B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00F4F1B4

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

Memory written: C:\Users\user\Desktop\ModMenu.exe1.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

Process created: C:\Users\user\Desktop\ModMenu.exe1.exe "C:\Users\user\Desktop\ModMenu.exe1.exe"

Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: GetLocaleInfoW,	0_2_00F388F6
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: EnumSystemLocalesW,	0_2_00F388AB
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: EnumSystemLocalesW,	0_2_00F341F7
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00F3899D
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: GetLocaleInfoW,	0_2_00F38AA3
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00F38238
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: GetLocaleInfoW,	0_2_00F33CFC
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: EnumSystemLocalesW,	0_2_00F38489
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00F38524
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: GetLocaleInfoW,	0_2_00F387D6
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: EnumSystemLocalesW,	0_2_00F38777
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: GetLocaleInfoW,	2_2_00F388F6
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: EnumSystemLocalesW,	2_2_00F388AB
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: EnumSystemLocalesW,	2_2_00F341F7
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00F3899D
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: GetLocaleInfoW,	2_2_00F38AA3
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00F38238
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: GetLocaleInfoW,	2_2_00F33CFC
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: EnumSystemLocalesW,	2_2_00F38489
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00F38524
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: GetLocaleInfoW,	2_2_00F387D6
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Code function: EnumSystemLocalesW,	2_2_00F38777

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

Code function: 0_2_00F27827 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F27827

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: ModMenu.exe1.exe, 00000002.00000002.2441536898.0000000001577000.00000004.00000020.00020000.00000000.sdmp, ModMenu.exe1.exe, 00000002.00000003.2000241166.0000000001574000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\ModMenu.exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: ModMenu.exe1.exe PID: 6856, type: MEMORYSTR
Source: Yara match	File source: 2.2.ModMenu.exe1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ModMenu.exe1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2440113729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1191730492.0000000000859000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: ModMenu.exe1.exe, 00000002.00000003.1353182130.0000000001599000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: ModMenu.exe1.exe, 00000002.00000003.1353182130.0000000001599000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: ModMenu.exe1.exe, 00000002.00000002.2441845007.00000000015E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "},{"en":"cjelfplplebdjjenllpjcblmjkfcffne","ez":"Jaxx Liberty"},{"en":"fihkakfobkmkjojpchpfgcmhfjnmnfpi}
Source: ModMenu.exe1.exe, 00000002.00000003.1353182130.0000000001599000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: ModMenu.exe1.exe, 00000002.00000003.1310590237.0000000001599000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: ModMenu.exe1.exe, 00000002.00000003.1310590237.0000000001599000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: ModMenu.exe1.exe, 00000002.00000003.1353182130.0000000001599000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: ModMenu.exe1.exe, 00000002.00000003.1310590237.0000000001599000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: ModMenu.exe1.exe, 00000002.00000003.1311087913.000000000156B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\ModMenu.exe1.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000002.00000003.1310590237.0000000001599000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1310676052.00000000015A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ModMenu.exe1.exe PID: 6856, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: ModMenu.exe1.exe PID: 6856, type: MEMORYSTR
Source: Yara match	File source: 2.2.ModMenu.exe1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ModMenu.exe1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2440113729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1191730492.0000000000859000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Windows Analysis Report
ModMenu.exe1.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Windows Analysis Report ModMenu.exe1.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Windows Analysis Report
ModMenu.exe1.exe