Windows Analysis Report
Installer64x.exe1.exe

Overview

General Information

Sample name: Installer64x.exe1.exe
Analysis ID: 1637276
MD5: e070bcc6b4f0e004b91f73cbe27d73ee
SHA1: cfc88488870730d1a9ab7076ef62aed1ef991ae1
SHA256: 24fb33ac2e21129c190da102e9d5d8ac9079ccb429711cc3dcbbdda44ca073ab
Tags: exeuser-TornadoAV_dev
Infos:

Detection

LummaC Stealer
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Installer64x.exe1.exe Avira: detected
Antivirus detection for URL or domain
Source: https://citydisco.bet:443/gdJIS/ Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000000.00000002.1222572734.0000000002A7C000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: LummaC {"C2 url": ["citydisco.bet/gdJIS", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"]}
Multi AV Scanner detection for submitted file
Source: Installer64x.exe1.exe Virustotal: Detection: 68% Perma Link
Source: Installer64x.exe1.exe ReversingLabs: Detection: 71%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.1222572734.0000000002A7C000.00000004.00000020.00020000.00000000.sdmp String decryptor: citydisco.bet/gdJIS
Source: 00000000.00000002.1222572734.0000000002A7C000.00000004.00000020.00020000.00000000.sdmp String decryptor: featureccus.shop/bdMAn
Source: 00000000.00000002.1222572734.0000000002A7C000.00000004.00000020.00020000.00000000.sdmp String decryptor: mrodularmall.top/aNzS
Source: 00000000.00000002.1222572734.0000000002A7C000.00000004.00000020.00020000.00000000.sdmp String decryptor: jowinjoinery.icu/bdWUa
Source: 00000000.00000002.1222572734.0000000002A7C000.00000004.00000020.00020000.00000000.sdmp String decryptor: legenassedk.top/bdpWO
Source: 00000000.00000002.1222572734.0000000002A7C000.00000004.00000020.00020000.00000000.sdmp String decryptor: htardwarehu.icu/Sbdsa
Source: 00000000.00000002.1222572734.0000000002A7C000.00000004.00000020.00020000.00000000.sdmp String decryptor: cjlaspcorne.icu/DbIps
Source: 00000000.00000002.1222572734.0000000002A7C000.00000004.00000020.00020000.00000000.sdmp String decryptor: bugildbett.top/bAuz
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0041CCB6 CryptUnprotectData, 2_2_0041CCB6
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0041D7D2 CryptUnprotectData,CryptUnprotectData, 2_2_0041D7D2
Uses 32bit PE files
Source: Installer64x.exe1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49702 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49717 version: TLS 1.2
Source: Installer64x.exe1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A9FCDE FindFirstFileExW, 0_2_00A9FCDE
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A9FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00A9FD8F
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A9FCDE FindFirstFileExW, 2_2_00A9FCDE
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A9FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose, 2_2_00A9FD8F
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx ebp, byte ptr [esp+edx+50h] 2_2_0040F14B
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then cmp dword ptr [esi+eax*8], CA198B66h 2_2_004479B0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then push edi 2_2_0041330A
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2Ch] 2_2_0044D320
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx ebp, byte ptr [esp+esi+02h] 2_2_00429C40
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then cmp word ptr [edi+ebx], 0000h 2_2_0044BC40
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx eax, byte ptr [esp+ecx+10h] 2_2_0040DC5A
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h 2_2_00443D60
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1A7D4DF8h] 2_2_00421E50
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], A566C0CEh 2_2_00421E50
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7FFFFFFFh] 2_2_0042FE10
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-773910CCh] 2_2_0042FE10
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h 2_2_0041D7D2
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then mov word ptr [ecx], dx 2_2_0044CFE0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18h] 2_2_00443F90
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+18h] 2_2_00443F90
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-3C8EC9B8h] 2_2_00411F95
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h 2_2_00429050
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+edx-6D3F2B30h] 2_2_0044B060
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+000011E8h] 2_2_0042D070
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then mov word ptr [eax], cx 2_2_004328D7
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+000000E0h] 2_2_004110E0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 2_2_0041B880
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then mov word ptr [eax], cx 2_2_0041B940
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+edx-6D3F2B30h] 2_2_0044B150
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h 2_2_0044C1C0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then mov edx, eax 2_2_004491D4
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh 2_2_004019E0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then mov esi, edx 2_2_004261A0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-3B9108C6h] 2_2_0042D201
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h] 2_2_0040A210
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx ecx, word ptr [edi+esi*4] 2_2_0040A210
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then mov word ptr [eax], dx 2_2_00427A20
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1Ch] 2_2_0040C2D0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then mov byte ptr [edi], al 2_2_0040C2D0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 2_2_00433AD0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-000000BCh] 2_2_0040FAE0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1A7D4DECh] 2_2_004482F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1A7D4DECh] 2_2_004482F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 9F1F8F53h 2_2_004482F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 2_2_004412A0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then mov byte ptr [esi], cl 2_2_00423BF0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax+0587871Ah] 2_2_0040F380
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-001A1106h] 2_2_00430390
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1A7D4DECh] 2_2_00445420
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2Ch] 2_2_0044D4A0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx+44h] 2_2_00423D41
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then mov byte ptr [esi], cl 2_2_00423D41
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-46h] 2_2_00421530
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx esi, byte ptr [edi+eax+01h] 2_2_004105E7
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 1ED597A4h 2_2_00447D90
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then mov dword ptr [ebp-10h], esi 2_2_00431E70
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+20h] 2_2_0041E618
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+01h] 2_2_0040BEC0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx eax, byte ptr [edx] 2_2_0042EEC0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx+69266341h] 2_2_004336F6
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then mov word ptr [ecx], si 2_2_0041F6A9
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+1A7D4DECh] 2_2_00444F50
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+1A7D4DECh] 2_2_00447FC0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68h] 2_2_004207F8

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: citydisco.bet/gdJIS
Source: Malware configuration extractor URLs: featureccus.shop/bdMAn
Source: Malware configuration extractor URLs: mrodularmall.top/aNzS
Source: Malware configuration extractor URLs: jowinjoinery.icu/bdWUa
Source: Malware configuration extractor URLs: legenassedk.top/bdpWO
Source: Malware configuration extractor URLs: htardwarehu.icu/Sbdsa
Source: Malware configuration extractor URLs: cjlaspcorne.icu/DbIps
Source: Malware configuration extractor URLs: bugildbett.top/bAuz
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 13 Mar 2025 12:33:58 GMTContent-Type: application/octet-streamContent-Length: 21504Last-Modified: Wed, 15 Jan 2025 19:13:16 GMTConnection: keep-aliveETag: "678808cc-5400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7a 58 21 9a 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 48 00 00 00 0a 00 00 00 00 00 00 3a 66 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 00 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e7 65 00 00 4f 00 00 00 00 80 00 00 b8 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 0c 00 00 00 34 65 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 40 46 00 00 00 20 00 00 00 48 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b8 06 00 00 00 80 00 00 00 08 00 00 00 4a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 00 00 00 02 00 00 00 52 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 66 00 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 36 00 00 dc 2c 00 00 03 00 02 00 10 00 00 06 c4 63 00 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 b5 00 00 00 01 00 00 11 02 14 7d 1c 00 00 04 02 28 14 00 00 0a 00 00 02 28 06 00 00 06 00 28 05 00 00 06 00 28 03 00 00 06 00 02 28 0b 00 00 06 00 02 28 0a 00 00 06 00 7e 19 00 00 04 72 01 00 00 70 6f 15 00 00 0a 0a 06 2c 30 00 7e 03 00 00 04 7e 12 00 00 04 72 07 00 00 70 16 28 04 00 00 06 00 7e 0f 00 00 04 7e 12 00 00 04 72 23 00 00 70 16 28 04 00 00 06 00 00 2b 18 00 7e 02 00 00 04 7e 12 00 00 04 72 07 00 00 70 16 28 04 00 00 06 00 00 7e 01 00 00 04 7e 12 00 00 04 72 43 00 00 70 16 28 04 00 00 06 00 28 08 00 00 06 00 28 0c 00 00 06 00 02 28 0e 00 00 06 00 2a 00 00 00 13 30 03 00 21 00 00 00 02 00 00 11 00 02 28 16 00 00 0a 0a 06 25 6f 17 00 00 0a 20 80 00 00 00 60 6f 18 00 00 0a 00 06 0b 2b 00 07 2a 00 00 00 1b 30 04 00 a7 01 00 00 03 00 00 11 00 00 20 00 0f 00 00 28 19 00 00 0a 00 20 10 27 00 00 8d 31 00 00 01 0a 16 0b 16 0c 73 1a 00 00 0a 0d 09 7e 10 00 00 04 6f 1b 00 00 0a 13 04 11 04 73 1c 00 00 0a 13 05 00 06 16 72 5b
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /conhost.exe HTTP/1.1Connection: Keep-AliveHost: 185.215.113.51
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 185.215.113.51 185.215.113.51
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49702 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49700 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49715 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49707 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49717 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49713 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49711 -> 188.114.96.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 69Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=I6JHi6LpN7d8943u2NDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14544Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1L5HK2oHz5kIooUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15051Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2Ku1iLM9pKr8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20410Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=hZkSie5dBNfL0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2567Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SDFctPB0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 584228Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 107Host: citydisco.bet
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /conhost.exe HTTP/1.1Connection: Keep-AliveHost: 185.215.113.51
Source: global traffic DNS traffic detected: DNS query: citydisco.bet
Source: unknown HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 69Host: citydisco.bet
Source: Installer64x.exe1.exe, 00000002.00000003.1955503478.000000000151B000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955747460.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955586311.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955939366.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410325611.00000000014ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/
Source: Installer64x.exe1.exe, 00000002.00000003.1955747460.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955586311.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955939366.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410325611.00000000014ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/O
Source: Installer64x.exe1.exe, 00000002.00000003.1955747460.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955586311.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955939366.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410325611.00000000014ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/a
Source: Installer64x.exe1.exe, 00000002.00000002.2408694996.00000000010FB000.00000004.00000010.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955884395.0000000001498000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2409518281.0000000001469000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955526555.0000000001490000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410052970.0000000001499000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/conhost.exe
Source: Installer64x.exe1.exe, 00000002.00000003.1955884395.0000000001498000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955526555.0000000001490000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410052970.0000000001499000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/conhost.exe6
Source: Installer64x.exe1.exe, 00000002.00000003.1955884395.0000000001498000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955526555.0000000001490000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410052970.0000000001499000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/conhost.exeF
Source: Installer64x.exe1.exe, 00000002.00000003.1955747460.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955586311.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955939366.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410325611.00000000014ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/conhost.exeR
Source: Installer64x.exe1.exe, 00000002.00000003.1955747460.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955586311.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955939366.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410325611.00000000014ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/conhost.exeY
Source: Installer64x.exe1.exe, 00000002.00000003.1955747460.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955586311.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955939366.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410325611.00000000014ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51/x
Source: Installer64x.exe1.exe, 00000002.00000003.1955695637.0000000001472000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2409518281.0000000001474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.51:80/conhost.exe
Source: Installer64x.exe1.exe, 00000002.00000003.1224866637.0000000003BC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Installer64x.exe1.exe, 00000002.00000003.1224866637.0000000003BC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Installer64x.exe1.exe, 00000002.00000003.1224866637.0000000003BC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Installer64x.exe1.exe, 00000002.00000003.1224866637.0000000003BC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Installer64x.exe1.exe, 00000002.00000003.1224866637.0000000003BC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Installer64x.exe1.exe, 00000002.00000003.1224866637.0000000003BC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Installer64x.exe1.exe, 00000002.00000003.1224866637.0000000003BC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Installer64x.exe1.exe, 00000002.00000003.1224866637.0000000003BC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: Installer64x.exe1.exe, 00000002.00000003.1224866637.0000000003BC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net
Source: Installer64x.exe1.exe, 00000002.00000003.1224866637.0000000003BC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: Installer64x.exe1.exe, 00000002.00000003.1224866637.0000000003BC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: Installer64x.exe1.exe, 00000002.00000003.1179555105.0000000003BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org?q=
Source: Installer64x.exe1.exe, 00000002.00000003.1226366529.0000000003BA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&ci=1696500454657.12791&key=1696500454400500
Source: Installer64x.exe1.exe, 00000002.00000003.1226366529.0000000003BA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&ci=1696500454657.12791&key=1696500454400500000.1&cta
Source: Installer64x.exe1.exe, 00000002.00000003.1179555105.0000000003BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Installer64x.exe1.exe, 00000002.00000003.1179555105.0000000003BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Installer64x.exe1.exe, 00000002.00000003.1179555105.0000000003BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Installer64x.exe1.exe, 00000002.00000003.1258224493.00000000014E2000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955586311.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1200459789.00000000014D0000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1280915629.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1258429406.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1299907440.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955643126.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1258307307.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1258119927.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1251363945.00000000014CF000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1177955714.0000000001471000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1326448367.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1281240791.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410395073.0000000001500000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955916349.00000000014FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/
Source: Installer64x.exe1.exe, 00000002.00000003.1299907440.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1326448367.00000000014EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/.
Source: Installer64x.exe1.exe, 00000002.00000003.1299907440.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1326448367.00000000014EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/2
Source: Installer64x.exe1.exe, 00000002.00000003.1955747460.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955586311.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955939366.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410325611.00000000014ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/E
Source: Installer64x.exe1.exe, 00000002.00000003.1281240791.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410052970.0000000001499000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1177955714.000000000148C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/gdJIS
Source: Installer64x.exe1.exe, 00000002.00000003.1251096524.000000000151B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/gdJIS66/hI
Source: Installer64x.exe1.exe, 00000002.00000003.1955747460.00000000014E5000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955586311.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955939366.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410325611.00000000014ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/gdJISD
Source: Installer64x.exe1.exe, 00000002.00000003.1299907440.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1326448367.00000000014EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/ka
Source: Installer64x.exe1.exe, 00000002.00000003.1955695637.0000000001472000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2409518281.0000000001474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet:443/gdJIS
Source: Installer64x.exe1.exe, 00000002.00000003.1955695637.0000000001472000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1258361257.0000000001471000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2409518281.0000000001474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet:443/gdJIS/
Source: Installer64x.exe1.exe, 00000002.00000003.1955695637.0000000001472000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1258361257.0000000001471000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2409518281.0000000001474000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1177955714.0000000001471000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet:443/gdJISi
Source: Installer64x.exe1.exe, 00000002.00000003.1955695637.0000000001472000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1258361257.0000000001471000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2409518281.0000000001474000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet:443/gdJISsw2cld.default-release/key4.dbPK
Source: Installer64x.exe1.exe, 00000002.00000003.1226366529.0000000003BA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: Installer64x.exe1.exe, 00000002.00000003.1226366529.0000000003BA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Installer64x.exe1.exe, 00000002.00000003.1179555105.0000000003BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Installer64x.exe1.exe, 00000002.00000003.1179555105.0000000003BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: Installer64x.exe1.exe, 00000002.00000003.1179555105.0000000003BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Installer64x.exe1.exe, 00000002.00000003.1179555105.0000000003BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/app?q=
Source: Installer64x.exe1.exe, 00000002.00000003.1226366529.0000000003BA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4CbW4pDk4pbW4CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: Installer64x.exe1.exe, 00000002.00000003.1225936356.0000000003DB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Installer64x.exe1.exe, 00000002.00000003.1225936356.0000000003DB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Installer64x.exe1.exe, 00000002.00000003.1226366529.0000000003BA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_f6f292994d7c60be109e4c185cbc03032d36d17160d4e639
Source: Installer64x.exe1.exe, 00000002.00000003.1179555105.0000000003BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: Installer64x.exe1.exe, 00000002.00000003.1179555105.0000000003BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: Installer64x.exe1.exe, 00000002.00000003.1226366529.0000000003BA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: Installer64x.exe1.exe, 00000002.00000003.1225936356.0000000003DB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.8Z86fTxZfkM6
Source: Installer64x.exe1.exe, 00000002.00000003.1225936356.0000000003DB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.UnUp0v0CLe9Y
Source: Installer64x.exe1.exe, 00000002.00000003.1225936356.0000000003DB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Installer64x.exe1.exe, 00000002.00000003.1225936356.0000000003DB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Installer64x.exe1.exe, 00000002.00000003.1225936356.0000000003DB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49702 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.11:49717 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0043F3A0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard, 2_2_0043F3A0
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_03A01000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber, 2_2_03A01000
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0043F3A0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard, 2_2_0043F3A0
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0043F530 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 2_2_0043F530
Detected potential crypto function
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A64CB0 0_2_00A64CB0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A66460 0_2_00A66460
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A2553B 0_2_00A2553B
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A41F50 0_2_00A41F50
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A498A0 0_2_00A498A0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A678A0 0_2_00A678A0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A66090 0_2_00A66090
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A350E0 0_2_00A350E0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A400E0 0_2_00A400E0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A3A0F0 0_2_00A3A0F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A790F0 0_2_00A790F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A7E0F0 0_2_00A7E0F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A8B0F0 0_2_00A8B0F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A428C0 0_2_00A428C0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A4E020 0_2_00A4E020
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A2E030 0_2_00A2E030
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A8A030 0_2_00A8A030
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A21000 0_2_00A21000
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A82800 0_2_00A82800
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A3D810 0_2_00A3D810
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A5A810 0_2_00A5A810
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A76010 0_2_00A76010
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A3F860 0_2_00A3F860
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A5C870 0_2_00A5C870
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A5D070 0_2_00A5D070
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A7D070 0_2_00A7D070
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A33840 0_2_00A33840
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A25856 0_2_00A25856
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A7C050 0_2_00A7C050
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A301A0 0_2_00A301A0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A389A0 0_2_00A389A0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A7D980 0_2_00A7D980
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A28990 0_2_00A28990
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A3F190 0_2_00A3F190
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A5E9C0 0_2_00A5E9C0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A241D0 0_2_00A241D0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A841D0 0_2_00A841D0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A76920 0_2_00A76920
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A58130 0_2_00A58130
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A8D90A 0_2_00A8D90A
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A3E900 0_2_00A3E900
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A2C906 0_2_00A2C906
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A58900 0_2_00A58900
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A50110 0_2_00A50110
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A74110 0_2_00A74110
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A2B960 0_2_00A2B960
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A57170 0_2_00A57170
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A36940 0_2_00A36940
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A39150 0_2_00A39150
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A37AA0 0_2_00A37AA0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A58AA0 0_2_00A58AA0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A382B0 0_2_00A382B0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A812B0 0_2_00A812B0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A87AB0 0_2_00A87AB0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A43A90 0_2_00A43A90
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A45290 0_2_00A45290
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A272E0 0_2_00A272E0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A29AF6 0_2_00A29AF6
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A922CA 0_2_00A922CA
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A83A20 0_2_00A83A20
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A4CA30 0_2_00A4CA30
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A4DA30 0_2_00A4DA30
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A98230 0_2_00A98230
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A43200 0_2_00A43200
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A71A00 0_2_00A71A00
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A82210 0_2_00A82210
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A68A70 0_2_00A68A70
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A60240 0_2_00A60240
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A7BA40 0_2_00A7BA40
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A2D250 0_2_00A2D250
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A53A50 0_2_00A53A50
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A31BA0 0_2_00A31BA0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A3E3A0 0_2_00A3E3A0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A553A0 0_2_00A553A0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A77BB0 0_2_00A77BB0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A7D3B0 0_2_00A7D3B0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A3DB80 0_2_00A3DB80
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A30B90 0_2_00A30B90
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A893E0 0_2_00A893E0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A4A3F0 0_2_00A4A3F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A4ABF0 0_2_00A4ABF0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A5ABF0 0_2_00A5ABF0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A693D0 0_2_00A693D0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A47320 0_2_00A47320
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A61320 0_2_00A61320
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A4D330 0_2_00A4D330
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A83330 0_2_00A83330
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A2A300 0_2_00A2A300
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A27B00 0_2_00A27B00
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A2CB0F 0_2_00A2CB0F
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A28310 0_2_00A28310
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A3B310 0_2_00A3B310
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A49360 0_2_00A49360
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A6EB40 0_2_00A6EB40
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A37B50 0_2_00A37B50
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A6A350 0_2_00A6A350
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A70350 0_2_00A70350
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A7C350 0_2_00A7C350
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A4E490 0_2_00A4E490
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A784C0 0_2_00A784C0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A8A4C0 0_2_00A8A4C0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A88420 0_2_00A88420
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A34430 0_2_00A34430
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A30430 0_2_00A30430
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A73430 0_2_00A73430
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A42C00 0_2_00A42C00
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A81C00 0_2_00A81C00
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A3D410 0_2_00A3D410
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A34C10 0_2_00A34C10
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A56410 0_2_00A56410
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A3EC70 0_2_00A3EC70
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A53C70 0_2_00A53C70
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A32450 0_2_00A32450
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A45450 0_2_00A45450
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A5C5A0 0_2_00A5C5A0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A42D80 0_2_00A42D80
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A5DD80 0_2_00A5DD80
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00AA5592 0_2_00AA5592
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A30DE0 0_2_00A30DE0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A4B5F0 0_2_00A4B5F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A25DF6 0_2_00A25DF6
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A67DF0 0_2_00A67DF0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A455C0 0_2_00A455C0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A28DD0 0_2_00A28DD0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A57DD0 0_2_00A57DD0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A5F5D0 0_2_00A5F5D0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A895D0 0_2_00A895D0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A5DDD9 0_2_00A5DDD9
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A5FD20 0_2_00A5FD20
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A29D30 0_2_00A29D30
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A36530 0_2_00A36530
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A43530 0_2_00A43530
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A7F530 0_2_00A7F530
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A49D00 0_2_00A49D00
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A7FD00 0_2_00A7FD00
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A33510 0_2_00A33510
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A5B560 0_2_00A5B560
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A83D60 0_2_00A83D60
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A79576 0_2_00A79576
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A63EA0 0_2_00A63EA0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A45EB0 0_2_00A45EB0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A62E80 0_2_00A62E80
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A7AE80 0_2_00A7AE80
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A2E690 0_2_00A2E690
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A75690 0_2_00A75690
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A5D6E0 0_2_00A5D6E0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A586E0 0_2_00A586E0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A6AEE0 0_2_00A6AEE0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A2B6F0 0_2_00A2B6F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A466F0 0_2_00A466F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A376C0 0_2_00A376C0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A5AEC0 0_2_00A5AEC0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A4C6D0 0_2_00A4C6D0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A30620 0_2_00A30620
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A4FE20 0_2_00A4FE20
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A77630 0_2_00A77630
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A81630 0_2_00A81630
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A2C610 0_2_00A2C610
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A40E10 0_2_00A40E10
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A87E10 0_2_00A87E10
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A2DE60 0_2_00A2DE60
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A61660 0_2_00A61660
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A7A660 0_2_00A7A660
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A84640 0_2_00A84640
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A69650 0_2_00A69650
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A66F90 0_2_00A66F90
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A7FF90 0_2_00A7FF90
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A2D7F0 0_2_00A2D7F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A707F0 0_2_00A707F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A46FC0 0_2_00A46FC0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A72FC0 0_2_00A72FC0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A33F20 0_2_00A33F20
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A2A700 0_2_00A2A700
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A75700 0_2_00A75700
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00AA3718 0_2_00AA3718
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A2BF10 0_2_00A2BF10
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A42F10 0_2_00A42F10
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A7EF10 0_2_00A7EF10
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A29718 0_2_00A29718
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A39740 0_2_00A39740
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0044C870 2_2_0044C870
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0041D078 2_2_0041D078
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0040B8F0 2_2_0040B8F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_004479B0 2_2_004479B0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00412A4D 2_2_00412A4D
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00437365 2_2_00437365
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0040D4C0 2_2_0040D4C0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0041CCB6 2_2_0041CCB6
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0044BD50 2_2_0044BD50
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0041655F 2_2_0041655F
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00421E50 2_2_00421E50
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00417E10 2_2_00417E10
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0042FE10 2_2_0042FE10
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0042C620 2_2_0042C620
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_004286A0 2_2_004286A0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0040E700 2_2_0040E700
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0042B71C 2_2_0042B71C
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0041D7D2 2_2_0041D7D2
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00443F90 2_2_00443F90
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00411F95 2_2_00411F95
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0040EFAC 2_2_0040EFAC
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00401040 2_2_00401040
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0041F04F 2_2_0041F04F
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00429050 2_2_00429050
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0044B060 2_2_0044B060
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0043D064 2_2_0043D064
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0042D070 2_2_0042D070
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0043F010 2_2_0043F010
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_004020D0 2_2_004020D0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0043D8E2 2_2_0043D8E2
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0041B940 2_2_0041B940
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0041794C 2_2_0041794C
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00420150 2_2_00420150
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0044B150 2_2_0044B150
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0040D970 2_2_0040D970
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0042190C 2_2_0042190C
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0044C1C0 2_2_0044C1C0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_004491D4 2_2_004491D4
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0044B9E0 2_2_0044B9E0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_004399F6 2_2_004399F6
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00441980 2_2_00441980
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0043718B 2_2_0043718B
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00431189 2_2_00431189
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_004171A4 2_2_004171A4
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0042D201 2_2_0042D201
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0040A210 2_2_0040A210
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00424A10 2_2_00424A10
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00427A20 2_2_00427A20
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0043EA20 2_2_0043EA20
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00408A30 2_2_00408A30
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00442232 2_2_00442232
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0042E7B4 2_2_0042E7B4
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_004482F0 2_2_004482F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0044B2F0 2_2_0044B2F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0044AAFB 2_2_0044AAFB
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00445A98 2_2_00445A98
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00430AAB 2_2_00430AAB
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00426340 2_2_00426340
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00402B00 2_2_00402B00
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0042BB04 2_2_0042BB04
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0042F31B 2_2_0042F31B
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0043C320 2_2_0043C320
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0042FB33 2_2_0042FB33
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0043233F 2_2_0043233F
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_004133C4 2_2_004133C4
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_004433E0 2_2_004433E0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0044B380 2_2_0044B380
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0040BC10 2_2_0040BC10
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0044B410 2_2_0044B410
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00444C10 2_2_00444C10
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00409430 2_2_00409430
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0044C4C0 2_2_0044C4C0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0041255F 2_2_0041255F
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0040DD74 2_2_0040DD74
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00403500 2_2_00403500
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00407D20 2_2_00407D20
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00425520 2_2_00425520
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00421530 2_2_00421530
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00432DC0 2_2_00432DC0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0040C5E0 2_2_0040C5E0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0043A58C 2_2_0043A58C
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00424D90 2_2_00424D90
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0040CDB0 2_2_0040CDB0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00443640 2_2_00443640
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00445640 2_2_00445640
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00430E4F 2_2_00430E4F
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0041366E 2_2_0041366E
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00431E70 2_2_00431E70
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0043AE04 2_2_0043AE04
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0041E618 2_2_0041E618
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00437E23 2_2_00437E23
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0042EEC0 2_2_0042EEC0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00426EC1 2_2_00426EC1
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0041C6C4 2_2_0041C6C4
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00403EA0 2_2_00403EA0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00408EA0 2_2_00408EA0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_004366A0 2_2_004366A0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0041F6A9 2_2_0041F6A9
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00437EB0 2_2_00437EB0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0043774D 2_2_0043774D
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00429750 2_2_00429750
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00444F50 2_2_00444F50
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00402760 2_2_00402760
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00438770 2_2_00438770
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00437F17 2_2_00437F17
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0043671D 2_2_0043671D
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0042F72E 2_2_0042F72E
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00413FC0 2_2_00413FC0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_004257C0 2_2_004257C0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_004207F8 2_2_004207F8
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00404782 2_2_00404782
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00406F86 2_2_00406F86
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0041DFB1 2_2_0041DFB1
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0042E7B4 2_2_0042E7B4
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A498A0 2_2_00A498A0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A678A0 2_2_00A678A0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A798B0 2_2_00A798B0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A2C890 2_2_00A2C890
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A66090 2_2_00A66090
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A350E0 2_2_00A350E0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A400E0 2_2_00A400E0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A3A0F0 2_2_00A3A0F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A790F0 2_2_00A790F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A8B0F0 2_2_00A8B0F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A428C0 2_2_00A428C0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A4E020 2_2_00A4E020
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A2E030 2_2_00A2E030
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A21000 2_2_00A21000
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A82800 2_2_00A82800
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A3D810 2_2_00A3D810
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A5A810 2_2_00A5A810
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A76010 2_2_00A76010
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A3F860 2_2_00A3F860
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A5C870 2_2_00A5C870
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A5D070 2_2_00A5D070
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A33840 2_2_00A33840
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A301A0 2_2_00A301A0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A389A0 2_2_00A389A0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A28990 2_2_00A28990
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A3F190 2_2_00A3F190
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A2D1E0 2_2_00A2D1E0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A5E9C0 2_2_00A5E9C0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A241D0 2_2_00A241D0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A841D0 2_2_00A841D0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A76920 2_2_00A76920
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A58130 2_2_00A58130
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A8D90A 2_2_00A8D90A
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A3E900 2_2_00A3E900
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A58900 2_2_00A58900
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A50110 2_2_00A50110
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A74110 2_2_00A74110
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A2B960 2_2_00A2B960
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A57170 2_2_00A57170
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A36940 2_2_00A36940
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A39150 2_2_00A39150
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A37AA0 2_2_00A37AA0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A58AA0 2_2_00A58AA0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A382B0 2_2_00A382B0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A812B0 2_2_00A812B0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A87AB0 2_2_00A87AB0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A43A90 2_2_00A43A90
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A45290 2_2_00A45290
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A522F0 2_2_00A522F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A922CA 2_2_00A922CA
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A83A20 2_2_00A83A20
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A98230 2_2_00A98230
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A43200 2_2_00A43200
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A71A00 2_2_00A71A00
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A82210 2_2_00A82210
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A68A70 2_2_00A68A70
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A27240 2_2_00A27240
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A53A50 2_2_00A53A50
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A31BA0 2_2_00A31BA0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A3E3A0 2_2_00A3E3A0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A553A0 2_2_00A553A0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A3DB80 2_2_00A3DB80
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A30B90 2_2_00A30B90
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A893E0 2_2_00A893E0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A4ABF0 2_2_00A4ABF0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A5ABF0 2_2_00A5ABF0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A693D0 2_2_00A693D0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A47320 2_2_00A47320
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A61320 2_2_00A61320
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A2A300 2_2_00A2A300
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A27B00 2_2_00A27B00
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A6130F 2_2_00A6130F
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A28310 2_2_00A28310
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A3B310 2_2_00A3B310
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A49360 2_2_00A49360
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A6EB40 2_2_00A6EB40
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A37B50 2_2_00A37B50
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A6A350 2_2_00A6A350
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A70350 2_2_00A70350
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A64CB0 2_2_00A64CB0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A7BCC0 2_2_00A7BCC0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A784C0 2_2_00A784C0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A8A4C0 2_2_00A8A4C0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A254D0 2_2_00A254D0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A34430 2_2_00A34430
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A30430 2_2_00A30430
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A73430 2_2_00A73430
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A42C00 2_2_00A42C00
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A81C00 2_2_00A81C00
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A7840F 2_2_00A7840F
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A34C10 2_2_00A34C10
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A3D410 2_2_00A3D410
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A53410 2_2_00A53410
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A66460 2_2_00A66460
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A3EC70 2_2_00A3EC70
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A53C70 2_2_00A53C70
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A32450 2_2_00A32450
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A45450 2_2_00A45450
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A5C5A0 2_2_00A5C5A0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A42D80 2_2_00A42D80
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A5DD80 2_2_00A5DD80
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00AA5592 2_2_00AA5592
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A30DE0 2_2_00A30DE0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A4B5F0 2_2_00A4B5F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A67DF0 2_2_00A67DF0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A455C0 2_2_00A455C0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A28DD0 2_2_00A28DD0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A5F5D0 2_2_00A5F5D0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A57DD0 2_2_00A57DD0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A5DDD9 2_2_00A5DDD9
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A5FD20 2_2_00A5FD20
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A29D30 2_2_00A29D30
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A36530 2_2_00A36530
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A43530 2_2_00A43530
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A49D00 2_2_00A49D00
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A7FD00 2_2_00A7FD00
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A79500 2_2_00A79500
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A33510 2_2_00A33510
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A5B560 2_2_00A5B560
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A83D60 2_2_00A83D60
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A2CD50 2_2_00A2CD50
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A63EA0 2_2_00A63EA0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A216B0 2_2_00A216B0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A45EB0 2_2_00A45EB0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A62E80 2_2_00A62E80
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A29690 2_2_00A29690
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A2E690 2_2_00A2E690
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A75690 2_2_00A75690
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A5D6E0 2_2_00A5D6E0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A586E0 2_2_00A586E0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A6AEE0 2_2_00A6AEE0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A2B6F0 2_2_00A2B6F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A466F0 2_2_00A466F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A376C0 2_2_00A376C0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A5AEC0 2_2_00A5AEC0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A30620 2_2_00A30620
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A4FE20 2_2_00A4FE20
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A2C610 2_2_00A2C610
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A40E10 2_2_00A40E10
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A87E10 2_2_00A87E10
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A2DE60 2_2_00A2DE60
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A89E60 2_2_00A89E60
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A84640 2_2_00A84640
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A69650 2_2_00A69650
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A66F90 2_2_00A66F90
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A7FF90 2_2_00A7FF90
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A227E0 2_2_00A227E0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A707F0 2_2_00A707F0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A46FC0 2_2_00A46FC0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A72FC0 2_2_00A72FC0
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A33F20 2_2_00A33F20
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A2A700 2_2_00A2A700
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A2BF10 2_2_00A2BF10
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00AA3718 2_2_00AA3718
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A42F10 2_2_00A42F10
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A39740 2_2_00A39740
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A41F50 2_2_00A41F50
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: String function: 0041B930 appears 104 times
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: String function: 00A8DE10 appears 96 times
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: String function: 00A9607C appears 44 times
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: String function: 0040B230 appears 40 times
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: String function: 00A9AE24 appears 34 times
One or more processes crash
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7020 -s 688
Uses 32bit PE files
Source: Installer64x.exe1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Installer64x.exe1.exe Static PE information: Section: .bss ZLIB complexity 1.0003241237482117
Source: Installer64x.exe1.exe Static PE information: Section: .bss ZLIB complexity 1.0003241237482117
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/6@1/2
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00443F90 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW, 2_2_00443F90
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7020
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\7ddce0fc-db99-41fb-ad81-821b67a38a4a Jump to behavior
Source: Installer64x.exe1.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Installer64x.exe1.exe, 00000002.00000003.1200896157.0000000003BC3000.00000004.00000800.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1201663175.0000000003BAF000.00000004.00000800.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1179137259.0000000003BB4000.00000004.00000800.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1179555105.0000000003B96000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Installer64x.exe1.exe Virustotal: Detection: 68%
Source: Installer64x.exe1.exe ReversingLabs: Detection: 71%
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File read: C:\Users\user\Desktop\Installer64x.exe1.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Installer64x.exe1.exe "C:\Users\user\Desktop\Installer64x.exe1.exe"
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Process created: C:\Users\user\Desktop\Installer64x.exe1.exe "C:\Users\user\Desktop\Installer64x.exe1.exe"
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7020 -s 688
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Process created: C:\Users\user\Desktop\Installer64x.exe1.exe "C:\Users\user\Desktop\Installer64x.exe1.exe" Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: Installer64x.exe1.exe Static file information: File size 1364480 > 1048576
Source: Installer64x.exe1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A8DFCA push ecx; ret 0_2_00A8DFDD
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_0045446E push cs; ret 2_2_004544B8
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00454666 push 9DE8EE2Fh; iretd 2_2_0045468D
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A604F7 push ebx; iretd 2_2_00A604F9
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A604DD push ebx; iretd 2_2_00A604E3
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A8DFCA push ecx; ret 2_2_00A8DFDD
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A4A775 push es; iretd 2_2_00A4A776
Source: Installer64x.exe1.exe Static PE information: section name: .text entropy: 7.09207256696417
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Installer64x.exe1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\Installer64x.exe1.exe System information queried: FirmwareTableInformation Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Window / User API: threadDelayed 6305 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Installer64x.exe1.exe TID: 3504 Thread sleep time: -210000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe TID: 7816 Thread sleep count: 6305 > 30 Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Installer64x.exe1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A9FCDE FindFirstFileExW, 0_2_00A9FCDE
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A9FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00A9FD8F
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A9FCDE FindFirstFileExW, 2_2_00A9FCDE
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A9FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose, 2_2_00A9FD8F
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
Source: Amcache.hve.6.dr Binary or memory string: VMware
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696503903o
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696503903}
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696503903h
Source: Amcache.hve.6.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Installer64x.exe1.exe, 00000002.00000003.1955884395.0000000001498000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2409518281.0000000001463000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955526555.0000000001490000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1280871259.000000000148E000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410052970.0000000001499000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1177955714.000000000148C000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1258180324.000000000148E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696503903]
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696503903|UE
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696503903
Source: Amcache.hve.6.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696503903t
Source: Amcache.hve.6.dr Binary or memory string: vmci.sys
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696503903s
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696503903d
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696503903j
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696503903f
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696503903
Source: Installer64x.exe1.exe, 00000002.00000003.1201272845.0000000003C16000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696503903p
Source: Amcache.hve.6.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr Binary or memory string: VMware-42 27 b7 a3 1e b0 86 f3-0a fe 06 07 d0 80 07 92
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1hbin@
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696503903x
Source: Amcache.hve.6.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696503903x
Source: Amcache.hve.6.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696503903
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696503903
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696503903
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696503903u
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696503903
Source: Amcache.hve.6.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696503903}
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696503903x
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
Source: Amcache.hve.6.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696503903t
Source: Installer64x.exe1.exe, 00000002.00000003.1201450994.0000000003BE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696503903
Source: Amcache.hve.6.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Installer64x.exe1.exe, 00000002.00000003.1201272845.0000000003C16000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware20
Source: C:\Users\user\Desktop\Installer64x.exe1.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A2553B _strlen,GetModuleHandleA,GetProcAddress,VirtualProtect,LdrInitializeThunk,OleDraw,GetModuleHandleA,GetProcAddress,OleDraw,FreeConsole,__fread_nolock,_strlen,_strlen,FreeConsole,__fread_nolock,FreeConsole,__fread_nolock, 0_2_00A2553B
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A8DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00A8DC9E
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00AB61B4 mov edi, dword ptr fs:[00000030h] 0_2_00AB61B4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A9B71C GetProcessHeap, 0_2_00A9B71C
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A8D8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00A8D8E2
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A8DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00A8DC9E
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A8DC92 SetUnhandledExceptionFilter, 0_2_00A8DC92
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A95DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00A95DCE
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A8D8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00A8D8E2
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A8DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00A8DC9E
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 2_2_00A95DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00A95DCE

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00AB61B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 0_2_00AB61B4
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Memory written: C:\Users\user\Desktop\Installer64x.exe1.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Process created: C:\Users\user\Desktop\Installer64x.exe1.exe "C:\Users\user\Desktop\Installer64x.exe1.exe" Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: GetLocaleInfoW, 0_2_00A9F8B3
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: EnumSystemLocalesW, 0_2_00A9B007
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00A9F048
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: EnumSystemLocalesW, 0_2_00A9F299
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00A9F334
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: GetLocaleInfoW, 0_2_00A9AB0C
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: EnumSystemLocalesW, 0_2_00A9F587
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: GetLocaleInfoW, 0_2_00A9F5E6
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: EnumSystemLocalesW, 0_2_00A9F6BB
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00A9F7AD
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: GetLocaleInfoW, 0_2_00A9F706
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: GetLocaleInfoW, 2_2_00A9F8B3
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: EnumSystemLocalesW, 2_2_00A9B007
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_00A9F048
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: EnumSystemLocalesW, 2_2_00A9F299
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_00A9F334
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: GetLocaleInfoW, 2_2_00A9AB0C
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: EnumSystemLocalesW, 2_2_00A9F587
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: GetLocaleInfoW, 2_2_00A9F5E6
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: EnumSystemLocalesW, 2_2_00A9F6BB
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_00A9F7AD
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: GetLocaleInfoW, 2_2_00A9F706
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Code function: 0_2_00A8E6D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00A8E6D7
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Installer64x.exe1.exe, 00000002.00000003.1955884395.0000000001498000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1280915629.00000000014E7000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2409518281.0000000001490000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1955526555.0000000001490000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1281240791.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000003.1280871259.000000000148E000.00000004.00000020.00020000.00000000.sdmp, Installer64x.exe1.exe, 00000002.00000002.2410052970.0000000001499000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\Installer64x.exe1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: Installer64x.exe1.exe PID: 3588, type: MEMORYSTR
Source: Yara match File source: 2.2.Installer64x.exe1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Installer64x.exe1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2407790699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1222572734.0000000002A7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Installer64x.exe1.exe, 00000002.00000003.1200459789.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets"ez":"Nabox"},{"en":"hcflpincpppdclinealmandijcmnkbgn","ez":"KHC"},{"en":"ookjlbkiijinhpmnjffcofjonbfbga
Source: Installer64x.exe1.exe, 00000002.00000003.1200459789.00000000014D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\walletsta","z":"Chrome Beta","f":"Google Chrome Beta","n":"chrome.exe","l":"chrome.dll"},{"t":1,"p":"%appdata%\
Source: Installer64x.exe1.exe, 00000002.00000003.1253178155.000000000151B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Libertytr6kh=
Source: Installer64x.exe1.exe, 00000002.00000003.1258224493.00000000014E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.j
Source: Installer64x.exe1.exe, 00000002.00000003.1258224493.00000000014E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","
Source: Installer64x.exe1.exe, 00000002.00000002.2410434125.000000000151D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3BN
Source: Installer64x.exe1.exe, 00000002.00000003.1258224493.00000000014E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","
Source: Installer64x.exe1.exe, 00000002.00000003.1258180324.000000000148E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Installer64x.exe1.exe, 00000002.00000003.1258224493.00000000014E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Directory queried: C:\Users\user\Documents\BUFZSQPCOH Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Directory queried: C:\Users\user\Documents\BUFZSQPCOH Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Directory queried: C:\Users\user\Documents\DUKNXICOZT Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Directory queried: C:\Users\user\Documents\DUKNXICOZT Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Directory queried: C:\Users\user\Documents\DUKNXICOZT Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Directory queried: C:\Users\user\Documents\LIJDSFKJZG Jump to behavior
Source: C:\Users\user\Desktop\Installer64x.exe1.exe Directory queried: C:\Users\user\Documents\LIJDSFKJZG Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000002.00000003.1224431929.00000000014CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1258119927.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1251363945.00000000014CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1258180324.000000000148E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Installer64x.exe1.exe PID: 3588, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: Installer64x.exe1.exe PID: 3588, type: MEMORYSTR
Source: Yara match File source: 2.2.Installer64x.exe1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Installer64x.exe1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2407790699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1222572734.0000000002A7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1637276 Sample: Installer64x.exe1.exe Startdate: 13/03/2025 Architecture: WINDOWS Score: 100 18 citydisco.bet 2->18 24 Found malware configuration 2->24 26 Antivirus detection for URL or domain 2->26 28 Antivirus / Scanner detection for submitted sample 2->28 30 5 other signatures 2->30 7 Installer64x.exe1.exe 1 2->7         started        signatures3 process4 signatures5 32 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->32 34 Contains functionality to inject code into remote processes 7->34 36 Injects a PE file into a foreign processes 7->36 10 Installer64x.exe1.exe 7->10         started        14 WerFault.exe 19 16 7->14         started        16 conhost.exe 7->16         started        process6 dnsIp7 20 185.215.113.51, 49718, 80 WHOLESALECONNECTIONSNL Portugal 10->20 22 citydisco.bet 188.114.96.3, 443, 49700, 49702 CLOUDFLARENETUS European Union 10->22 38 Query firmware table information (likely to detect VMs) 10->38 40 Found many strings related to Crypto-Wallets (likely being stolen) 10->40 42 Tries to harvest and steal browser information (history, passwords, etc) 10->42 44 Tries to steal Crypto Currency Wallets 10->44 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.96.3
 citydisco.bet European Union
13335 CLOUDFLARENETUS false
185.215.113.51
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false

Contacted Domains

Name IP Active
citydisco.bet 188.114.96.3 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
bugildbett.top/bAuz false
    		high
    citydisco.bet/gdJIS false
      		high
      cjlaspcorne.icu/DbIps false
        		high
        mrodularmall.top/aNzS false
          		high
          jowinjoinery.icu/bdWUa false
            		high
            legenassedk.top/bdpWO false
              		high
              featureccus.shop/bdMAn false
                		high
                htardwarehu.icu/Sbdsa false
                  		high
                  https://citydisco.bet/gdJIS false
                    		high