Windows Analysis Report
SoftWare.exe1.exe

Overview

General Information

Sample name: SoftWare.exe1.exe
Analysis ID: 1637282
MD5: 87a47a76f6fa81e316f77d1fbe07eef1
SHA1: e3455675f40783b67207aa37f5380493e54c4f18
SHA256: bf1afeb9f9662c5811556d7e3157d9225657e10573d44fee67c332acfbfc326c
Tags: exeuser-TornadoAV_dev
Infos:

Detection

LummaC Stealer
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: crosshairc.life/dAnjhw Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: LummaC {"C2 url": ["citydisco.bet/gdJIS", "crosshairc.life/dAnjhw", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "80712606b6232d4708ff7e4bff6772778b082897fe63729d1329"}
Multi AV Scanner detection for submitted file
Source: SoftWare.exe1.exe Virustotal: Detection: 42% Perma Link
Source: SoftWare.exe1.exe ReversingLabs: Detection: 39%
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp String decryptor: citydisco.bet/gdJIS
Source: 00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp String decryptor: crosshairc.life/dAnjhw
Source: 00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp String decryptor: mrodularmall.top/aNzS
Source: 00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp String decryptor: jowinjoinery.icu/bdWUa
Source: 00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp String decryptor: legenassedk.top/bdpWO
Source: 00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp String decryptor: htardwarehu.icu/Sbdsa
Source: 00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp String decryptor: cjlaspcorne.icu/DbIps
Source: 00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp String decryptor: bugildbett.top/bAuz
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0041D1C2 CryptUnprotectData, 2_2_0041D1C2
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0041EECC CryptUnprotectData,CryptUnprotectData, 2_2_0041EECC
Uses 32bit PE files
Source: SoftWare.exe1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49682 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49683 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49684 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49685 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49686 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49687 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49693 version: TLS 1.2
Source: SoftWare.exe1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_00818ECE FindFirstFileExW, 0_2_00818ECE
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_00818F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00818F7F
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00818ECE FindFirstFileExW, 2_2_00818ECE
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00818F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose, 2_2_00818F7F
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ebx, byte ptr [esp+edx+10E8C126h] 2_2_00411040
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov ecx, edi 2_2_0042C080
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov byte ptr [ecx], bl 2_2_00411640
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then cmp word ptr [edi+ebx], 0000h 2_2_0044D990
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], CA198B66h 2_2_0042FA30
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-7FFFFFFFh] 2_2_0042FA30
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx eax, di 2_2_0042FA30
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx+4E5AD110h] 2_2_0040DAC0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov byte ptr [ebx], al 2_2_00436C8E
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov byte ptr [esi], cl 2_2_00436D60
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then push eax 2_2_0040ED7F
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-7FC4FC76h] 2_2_00421EF0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 64DAE379h 2_2_00421EF0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-7FC4FC82h] 2_2_00421EF0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 6D58C181h 2_2_00421EF0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov dword ptr [esp], ecx 2_2_004380AC
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov byte ptr [esi], cl 2_2_004371CF
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h] 2_2_0040A340
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ecx, word ptr [edi+esi*4] 2_2_0040A340
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], 7A542AABh 2_2_0044E340
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ebx, byte ptr [esp+eax-2Eh] 2_2_0043137E
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ebx, byte ptr [esp+eax-2Eh] 2_2_0043137E
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+04h] 2_2_0043238F
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 2_2_00442440
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov dword ptr [esp], ecx 2_2_0043644C
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax-7FC4FC7Ah] 2_2_0041D4F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h 2_2_00429490
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h 2_2_00429490
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-1530D448h] 2_2_00421510
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+08h] 2_2_00421510
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [edx+eax+013A68D0h] 2_2_00433587
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov dword ptr [esp], ecx 2_2_0043658C
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov byte ptr [ebx], cl 2_2_00436598
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then cmp dword ptr [edi+ecx*8], 744E5843h 2_2_00449650
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax+0Ch] 2_2_00413670
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [edx+eax+013A68D0h] 2_2_0043360A
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h 2_2_0043163A
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax-7FC4FC7Ah] 2_2_0041D6D2
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov byte ptr [ebx], cl 2_2_0040C6F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], 3FDB1228h 2_2_00412723
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-7FCB06BCh] 2_2_004327D4
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax-7FC4FC7Ah] 2_2_0041D782
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov word ptr [eax], cx 2_2_0041D842
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-7FC4FC82h] 2_2_00446850
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov eax, dword ptr [esp+58h] 2_2_0040E82F
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+edi+6A51526Ah] 2_2_004278F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov byte ptr [edi], cl 2_2_004369B3
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+08BE7850h] 2_2_0044AA44
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov edx, ecx 2_2_00433A4B
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx edi, byte ptr [esp+edx] 2_2_0044EA50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-3ECF6056h] 2_2_00425A00
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov byte ptr [edi], cl 2_2_00425A00
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov word ptr [edi], cx 2_2_00429A30
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov ebp, eax 2_2_00408AC0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov word ptr [ebx], cx 2_2_0042EA80
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h 2_2_0041EB48
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov dword ptr [esi+0Ch], ecx 2_2_00420B1E
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 2_2_0041BBD0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+0Ch] 2_2_00449BA0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax-7FC4FC7Ah] 2_2_0041DBBC
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then jmp ecx 2_2_00423C80
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then jmp ecx 2_2_00423C95
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then cmp dword ptr [esp], 00000000h 2_2_00446D51
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h 2_2_0041ED5D
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx edx, byte ptr [ebp+eax+00h] 2_2_0040CE40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax-7FC4FC7Ah] 2_2_0041DE36
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov byte ptr [esi], cl 2_2_00436E39
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h] 2_2_00445EC0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 2_2_00433EE0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax-7FC4FC7Ah] 2_2_0041DEF1
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax-7FC4FC7Ah] 2_2_0041DEF1
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax-7FC4FC7Ah] 2_2_0041DEF1
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax-7FC4FC7Ah] 2_2_0041DEF1
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then add edi, ecx 2_2_0042EE93
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then cmp word ptr [ebx+esi+02h], 0000h 2_2_00428EA0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov edx, dword ptr [esp+44h] 2_2_00424F20
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov edx, dword ptr [esp+44h] 2_2_00424F29
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h 2_2_0044DFD0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax-7FC4FC7Ah] 2_2_0041DFE9
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov dword ptr [esp], ecx 2_2_00437FFD
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax] 2_2_00446F87
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx ecx, word ptr [ebp+eax+00h] 2_2_00446F87
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx+12h] 2_2_00446F87
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 4x nop then mov byte ptr [esi], al 2_2_00437F89

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: citydisco.bet/gdJIS
Source: Malware configuration extractor URLs: crosshairc.life/dAnjhw
Source: Malware configuration extractor URLs: mrodularmall.top/aNzS
Source: Malware configuration extractor URLs: jowinjoinery.icu/bdWUa
Source: Malware configuration extractor URLs: legenassedk.top/bdpWO
Source: Malware configuration extractor URLs: htardwarehu.icu/Sbdsa
Source: Malware configuration extractor URLs: cjlaspcorne.icu/DbIps
Source: Malware configuration extractor URLs: bugildbett.top/bAuz
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.8:53549 -> 162.159.36.2:53
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49686 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49683 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49684 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49687 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49693 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49685 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49682 -> 188.114.96.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 61Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Grq7aN5lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14481Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=76Xg9XZJFKaBwyP6JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15072Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0E3xaFCwmps6oZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20226Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=R4KZr3ty1rwhs0EjUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2595Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=u8A8tLI73LrUVKOyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570380Host: citydisco.bet
Source: global traffic HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 99Host: citydisco.bet
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: citydisco.bet
Source: unknown HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 61Host: citydisco.bet
Source: SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org?q=
Source: SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001353000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001353000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SoftWare.exe1.exe, 00000002.00000003.1010678816.0000000001331000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1010456185.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/
Source: SoftWare.exe1.exe, 00000002.00000003.1076778996.000000000132D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet//
Source: SoftWare.exe1.exe, 00000002.00000003.1076846866.00000000012B2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1686782696.0000000001346000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/gdJIS
Source: SoftWare.exe1.exe, 00000002.00000003.957107611.0000000001359000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.956104000.0000000001359000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001359000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.955438817.0000000001354000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/gdJISDZ0c
Source: SoftWare.exe1.exe, 00000002.00000003.955924921.000000000134A000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.955617694.0000000001349000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/gdJISt4
Source: SoftWare.exe1.exe, 00000002.00000003.1010678816.0000000001331000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1010456185.0000000001327000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet/s
Source: SoftWare.exe1.exe, 00000002.00000002.2135526996.00000000012B5000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1686583042.00000000012B2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.985030791.00000000012B2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1686631716.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1076846866.00000000012B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet:443/gdJIS
Source: SoftWare.exe1.exe, 00000002.00000003.1076846866.00000000012B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://citydisco.bet:443/gdJISl
Source: SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001353000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001353000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/app?q=
Source: SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001353000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: SoftWare.exe1.exe, 00000002.00000003.957205964.0000000003D74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: SoftWare.exe1.exe, 00000002.00000003.957205964.0000000003D74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001353000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/v20w
Source: SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001353000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: SoftWare.exe1.exe, 00000002.00000003.957060993.0000000003A9A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: SoftWare.exe1.exe, 00000002.00000003.957205964.0000000003D74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: SoftWare.exe1.exe, 00000002.00000003.957205964.0000000003D74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: SoftWare.exe1.exe, 00000002.00000003.957205964.0000000003D74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: SoftWare.exe1.exe, 00000002.00000003.957205964.0000000003D74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49682 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49683 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49684 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49685 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49686 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49687 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49693 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00440070 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard, 2_2_00440070
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_03891000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber, 2_2_03891000
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00440070 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard, 2_2_00440070
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00440220 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 2_2_00440220
Detected potential crypto function
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D31F0 0_2_007D31F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D3640 0_2_007D3640
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D6070 0_2_007D6070
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_00801890 0_2_00801890
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007FF060 0_2_007FF060
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007E4040 0_2_007E4040
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_008000D0 0_2_008000D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007EA820 0_2_007EA820
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007E9020 0_2_007E9020
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007FA020 0_2_007FA020
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007EC010 0_2_007EC010
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D1000 0_2_007D1000
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_00803813 0_2_00803813
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D58A0 0_2_007D58A0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007EE0A0 0_2_007EE0A0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D8090 0_2_007D8090
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007E0890 0_2_007E0890
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007F3890 0_2_007F3890
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D4080 0_2_007D4080
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007FD080 0_2_007FD080
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007DE170 0_2_007DE170
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D4940 0_2_007D4940
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007EC940 0_2_007EC940
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007F0110 0_2_007F0110
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007F9100 0_2_007F9100
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_0081C908 0_2_0081C908
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007EB1E0 0_2_007EB1E0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_00802920 0_2_00802920
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007FF9B0 0_2_007FF9B0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_00803160 0_2_00803160
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007E6180 0_2_007E6180
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007F8A50 0_2_007F8A50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D5220 0_2_007D5220
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D9220 0_2_007D9220
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007F5220 0_2_007F5220
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007F0A10 0_2_007F0A10
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007F6A00 0_2_007F6A00
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007F8200 0_2_007F8200
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007FF2E0 0_2_007FF2E0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007DF2D0 0_2_007DF2D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007E52C0 0_2_007E52C0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007F9AB0 0_2_007F9AB0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_00806A54 0_2_00806A54
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007DEAA0 0_2_007DEAA0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007E4290 0_2_007E4290
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D2280 0_2_007D2280
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007EFB70 0_2_007EFB70
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007F1370 0_2_007F1370
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007F0350 0_2_007F0350
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D8340 0_2_007D8340
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007FEB40 0_2_007FEB40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007DC310 0_2_007DC310
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007DB300 0_2_007DB300
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007E73F0 0_2_007E73F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007EF3D0 0_2_007EF3D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007EABA0 0_2_007EABA0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D6390 0_2_007D6390
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007E3390 0_2_007E3390
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_00802480 0_2_00802480
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_00803C90 0_2_00803C90
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007F5C60 0_2_007F5C60
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007F8450 0_2_007F8450
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D2C40 0_2_007D2C40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007EEC40 0_2_007EEC40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007F8C40 0_2_007F8C40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D5C20 0_2_007D5C20
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_0080B41A 0_2_0080B41A
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007ECCE0 0_2_007ECCE0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_00811420 0_2_00811420
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007DE4C0 0_2_007DE4C0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007E3CC0 0_2_007E3CC0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D54A0 0_2_007D54A0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007E0490 0_2_007E0490
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_00803477 0_2_00803477
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D6C80 0_2_007D6C80
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007E6480 0_2_007E6480
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007F5480 0_2_007F5480
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007ED560 0_2_007ED560
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007EDD50 0_2_007EDD50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007FFD50 0_2_007FFD50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007E8540 0_2_007E8540
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_008035C0 0_2_008035C0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D7D30 0_2_007D7D30
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007DF530 0_2_007DF530
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007DAD30 0_2_007DAD30
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007E9500 0_2_007E9500
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007FF5D0 0_2_007FF5D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007E55B0 0_2_007E55B0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007FEDB0 0_2_007FEDB0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D9580 0_2_007D9580
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007FDD80 0_2_007FDD80
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_00802E90 0_2_00802E90
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D4660 0_2_007D4660
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007E7E50 0_2_007E7E50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D8640 0_2_007D8640
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007E6E40 0_2_007E6E40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007EB630 0_2_007EB630
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007F9630 0_2_007F9630
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007E7620 0_2_007E7620
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007E0E20 0_2_007E0E20
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_00801EF0 0_2_00801EF0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007E26F0 0_2_007E26F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_00800620 0_2_00800620
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007EC6A0 0_2_007EC6A0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007E2E90 0_2_007E2E90
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007F8690 0_2_007F8690
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007FB680 0_2_007FB680
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_0081E782 0_2_0081E782
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007EFF70 0_2_007EFF70
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007DE730 0_2_007DE730
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007E9720 0_2_007E9720
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007F9F00 0_2_007F9F00
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D9FF0 0_2_007D9FF0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D67D0 0_2_007D67D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007D1790 0_2_007D1790
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007E6790 0_2_007E6790
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007DB780 0_2_007DB780
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_007F0F80 0_2_007F0F80
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0042C080 2_2_0042C080
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0044F1D0 2_2_0044F1D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_004452C0 2_2_004452C0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00428570 2_2_00428570
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_004375EB 2_2_004375EB
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0044E6D0 2_2_0044E6D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0041695B 2_2_0041695B
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0042FA30 2_2_0042FA30
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0044DAC0 2_2_0044DAC0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0040BB90 2_2_0040BB90
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0044EC20 2_2_0044EC20
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00436D60 2_2_00436D60
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0041EECC 2_2_0041EECC
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00444EE0 2_2_00444EE0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00421EF0 2_2_00421EF0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00448F30 2_2_00448F30
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00401040 2_2_00401040
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0044D050 2_2_0044D050
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00430020 2_2_00430020
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0044D0F0 2_2_0044D0F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0043E092 2_2_0043E092
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00421094 2_2_00421094
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0043C10C 2_2_0043C10C
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_004101B0 2_2_004101B0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00446240 2_2_00446240
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00426220 2_2_00426220
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_004302C1 2_2_004302C1
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0043B2DE 2_2_0043B2DE
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_004242E0 2_2_004242E0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0040A340 2_2_0040A340
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0044E340 2_2_0044E340
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0040C360 2_2_0040C360
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0044D380 2_2_0044D380
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0043238F 2_2_0043238F
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0043644C 2_2_0043644C
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0043E4EB 2_2_0043E4EB
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0040F4FC 2_2_0040F4FC
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00444480 2_2_00444480
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00429490 2_2_00429490
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0040D540 2_2_0040D540
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00403560 2_2_00403560
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00409560 2_2_00409560
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00421510 2_2_00421510
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00433520 2_2_00433520
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0044D580 2_2_0044D580
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00413670 2_2_00413670
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0043D6D2 2_2_0043D6D2
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_004446E0 2_2_004446E0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0041F6E9 2_2_0041F6E9
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0040C6F0 2_2_0040C6F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0041F68B 2_2_0041F68B
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_004176B3 2_2_004176B3
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00410700 2_2_00410700
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0043D712 2_2_0043D712
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_004047E2 2_2_004047E2
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_004027A0 2_2_004027A0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00438809 2_2_00438809
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0040E82F 2_2_0040E82F
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_004278F0 2_2_004278F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0043C905 2_2_0043C905
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00431934 2_2_00431934
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0044AA44 2_2_0044AA44
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00425A00 2_2_00425A00
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00408AC0 2_2_00408AC0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0043FAE0 2_2_0043FAE0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0041EB48 2_2_0041EB48
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00402B50 2_2_00402B50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0043EBE7 2_2_0043EBE7
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00449BA0 2_2_00449BA0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00431C50 2_2_00431C50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00424C00 2_2_00424C00
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00430CC8 2_2_00430CC8
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00442CE4 2_2_00442CE4
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0044ACF4 2_2_0044ACF4
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0043ACFB 2_2_0043ACFB
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0041BC90 2_2_0041BC90
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0040FCA0 2_2_0040FCA0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0040AD40 2_2_0040AD40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0041CD4F 2_2_0041CD4F
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0044CD60 2_2_0044CD60
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0042CD11 2_2_0042CD11
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0043FDC0 2_2_0043FDC0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00407DD0 2_2_00407DD0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0040CE40 2_2_0040CE40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0044CE50 2_2_0044CE50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00443E2E 2_2_00443E2E
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0042EE30 2_2_0042EE30
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00411E3A 2_2_00411E3A
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00445EC0 2_2_00445EC0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0043CEE0 2_2_0043CEE0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0041DEF1 2_2_0041DEF1
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00428EA0 2_2_00428EA0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00403F00 2_2_00403F00
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00424F29 2_2_00424F29
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0044DFD0 2_2_0044DFD0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00408FE0 2_2_00408FE0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00437FFD 2_2_00437FFD
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00446F87 2_2_00446F87
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0042AF8B 2_2_0042AF8B
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D6070 2_2_007D6070
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00801890 2_2_00801890
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007FF060 2_2_007FF060
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007E4040 2_2_007E4040
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_008000D0 2_2_008000D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007EA820 2_2_007EA820
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007E9020 2_2_007E9020
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007FA020 2_2_007FA020
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007EC010 2_2_007EC010
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D1000 2_2_007D1000
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00803813 2_2_00803813
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D58A0 2_2_007D58A0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007EE0A0 2_2_007EE0A0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D8090 2_2_007D8090
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007E0890 2_2_007E0890
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007F3890 2_2_007F3890
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D4080 2_2_007D4080
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007FD080 2_2_007FD080
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007DE170 2_2_007DE170
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D4940 2_2_007D4940
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007EC940 2_2_007EC940
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007F0110 2_2_007F0110
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007F9100 2_2_007F9100
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0081C908 2_2_0081C908
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D31F0 2_2_007D31F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007EB1E0 2_2_007EB1E0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00802920 2_2_00802920
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007FF9B0 2_2_007FF9B0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00803160 2_2_00803160
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007E6180 2_2_007E6180
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007F8A50 2_2_007F8A50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D5220 2_2_007D5220
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D9220 2_2_007D9220
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007F5220 2_2_007F5220
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007F0A10 2_2_007F0A10
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007F6A00 2_2_007F6A00
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007F8200 2_2_007F8200
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007FF2E0 2_2_007FF2E0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007DF2D0 2_2_007DF2D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007E52C0 2_2_007E52C0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007F9AB0 2_2_007F9AB0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00806A54 2_2_00806A54
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007DEAA0 2_2_007DEAA0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007E4290 2_2_007E4290
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D2280 2_2_007D2280
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007EFB70 2_2_007EFB70
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007F1370 2_2_007F1370
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007F0350 2_2_007F0350
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D8340 2_2_007D8340
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007FEB40 2_2_007FEB40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007DC310 2_2_007DC310
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007DB300 2_2_007DB300
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007E73F0 2_2_007E73F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007EF3D0 2_2_007EF3D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007EABA0 2_2_007EABA0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D6390 2_2_007D6390
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007E3390 2_2_007E3390
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00802480 2_2_00802480
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00803C90 2_2_00803C90
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007F5C60 2_2_007F5C60
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007F8450 2_2_007F8450
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D2C40 2_2_007D2C40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007EEC40 2_2_007EEC40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007F8C40 2_2_007F8C40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D5C20 2_2_007D5C20
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0080B41A 2_2_0080B41A
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007ECCE0 2_2_007ECCE0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00811420 2_2_00811420
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007DE4C0 2_2_007DE4C0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007E3CC0 2_2_007E3CC0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D54A0 2_2_007D54A0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007E0490 2_2_007E0490
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00803477 2_2_00803477
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D6C80 2_2_007D6C80
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007E6480 2_2_007E6480
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007F5480 2_2_007F5480
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007ED560 2_2_007ED560
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007EDD50 2_2_007EDD50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007FFD50 2_2_007FFD50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007E8540 2_2_007E8540
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_008035C0 2_2_008035C0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D7D30 2_2_007D7D30
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007DF530 2_2_007DF530
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007DAD30 2_2_007DAD30
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007E9500 2_2_007E9500
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007FF5D0 2_2_007FF5D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007E55B0 2_2_007E55B0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007FEDB0 2_2_007FEDB0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D9580 2_2_007D9580
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007FDD80 2_2_007FDD80
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00802E90 2_2_00802E90
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D4660 2_2_007D4660
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007E7E50 2_2_007E7E50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D8640 2_2_007D8640
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D3640 2_2_007D3640
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007E6E40 2_2_007E6E40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007EB630 2_2_007EB630
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007F9630 2_2_007F9630
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007E7620 2_2_007E7620
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007E0E20 2_2_007E0E20
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00801EF0 2_2_00801EF0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007E26F0 2_2_007E26F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00800620 2_2_00800620
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007EC6A0 2_2_007EC6A0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007E2E90 2_2_007E2E90
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007F8690 2_2_007F8690
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007FB680 2_2_007FB680
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0081E782 2_2_0081E782
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007EFF70 2_2_007EFF70
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007DE730 2_2_007DE730
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007E9720 2_2_007E9720
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007F9F00 2_2_007F9F00
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D9FF0 2_2_007D9FF0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D67D0 2_2_007D67D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007D1790 2_2_007D1790
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007E6790 2_2_007E6790
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007DB780 2_2_007DB780
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_007F0F80 2_2_007F0F80
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: String function: 0041BC80 appears 102 times
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: String function: 00806F60 appears 102 times
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: String function: 00814014 appears 34 times
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: String function: 0040B360 appears 49 times
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: String function: 0080F1CC appears 46 times
PE / OLE file has an invalid certificate
Source: SoftWare.exe1.exe Static PE information: invalid certificate
Uses 32bit PE files
Source: SoftWare.exe1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SoftWare.exe1.exe Static PE information: Section: .bss ZLIB complexity 1.0003291478064067
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/0@1/1
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_004452C0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW, 2_2_004452C0
Source: SoftWare.exe1.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SoftWare.exe1.exe, 00000002.00000003.931172699.0000000003AA2000.00000004.00000800.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.905574210.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.906334429.0000000001359000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SoftWare.exe1.exe Virustotal: Detection: 42%
Source: SoftWare.exe1.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File read: C:\Users\user\Desktop\SoftWare.exe1.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SoftWare.exe1.exe "C:\Users\user\Desktop\SoftWare.exe1.exe"
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Process created: C:\Users\user\Desktop\SoftWare.exe1.exe "C:\Users\user\Desktop\SoftWare.exe1.exe"
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Process created: C:\Users\user\Desktop\SoftWare.exe1.exe "C:\Users\user\Desktop\SoftWare.exe1.exe" Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: SoftWare.exe1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_0080711A push ecx; ret 0_2_0080712D
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0043F467 pushad ; iretd 2_2_0043F46B
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00454909 push ecx; retf 2_2_0045490A
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0080711A push ecx; ret 2_2_0080712D
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SoftWare.exe1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\SoftWare.exe1.exe System information queried: FirmwareTableInformation Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Window / User API: threadDelayed 6466 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SoftWare.exe1.exe TID: 6132 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe TID: 1180 Thread sleep count: 6466 > 30 Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SoftWare.exe1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_00818ECE FindFirstFileExW, 0_2_00818ECE
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_00818F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00818F7F
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00818ECE FindFirstFileExW, 2_2_00818ECE
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00818F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose, 2_2_00818F7F
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696494690p
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696494690f
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696494690
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696494690s
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: SoftWare.exe1.exe, 00000002.00000003.1686475427.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1686839866.00000000012DC000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.985030791.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1076846866.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1010720289.00000000012DA000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000002.2135362994.000000000129C000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000002.2135763168.00000000012DD000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1010456185.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.985710245.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1686657864.00000000012DB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696494690o
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696494690j
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696494690
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: SoftWare.exe1.exe, 00000002.00000003.1686475427.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1686839866.00000000012DC000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.985030791.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1076846866.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1010720289.00000000012DA000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000002.2135763168.00000000012DD000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1010456185.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.985710245.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1686657864.00000000012DB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWAmLS
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
Source: C:\Users\user\Desktop\SoftWare.exe1.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0044B1C0 LdrInitializeThunk, 2_2_0044B1C0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_00806DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00806DE8
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_0082F1B4 mov edi, dword ptr fs:[00000030h] 0_2_0082F1B4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_0081490C GetProcessHeap, 0_2_0081490C
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_00806A2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00806A2C
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_00806DDC SetUnhandledExceptionFilter, 0_2_00806DDC
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_00806DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00806DE8
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_0080EF1E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0080EF1E
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00806A2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00806A2C
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00806DDC SetUnhandledExceptionFilter, 2_2_00806DDC
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_00806DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00806DE8
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 2_2_0080EF1E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0080EF1E

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_0082F1B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 0_2_0082F1B4
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Memory written: C:\Users\user\Desktop\SoftWare.exe1.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Process created: C:\Users\user\Desktop\SoftWare.exe1.exe "C:\Users\user\Desktop\SoftWare.exe1.exe" Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: EnumSystemLocalesW, 0_2_008188AB
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: GetLocaleInfoW, 0_2_008188F6
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_0081899D
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: EnumSystemLocalesW, 0_2_008141F7
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: GetLocaleInfoW, 0_2_00818AA3
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00818238
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: EnumSystemLocalesW, 0_2_00818489
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: GetLocaleInfoW, 0_2_00813CFC
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00818524
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: GetLocaleInfoW, 0_2_008187D6
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: EnumSystemLocalesW, 0_2_00818777
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: EnumSystemLocalesW, 2_2_008188AB
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: GetLocaleInfoW, 2_2_008188F6
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_0081899D
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: EnumSystemLocalesW, 2_2_008141F7
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: GetLocaleInfoW, 2_2_00818AA3
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_00818238
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: EnumSystemLocalesW, 2_2_00818489
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: GetLocaleInfoW, 2_2_00813CFC
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_00818524
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: GetLocaleInfoW, 2_2_008187D6
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: EnumSystemLocalesW, 2_2_00818777
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Code function: 0_2_00807827 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00807827
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: SoftWare.exe1.exe, 00000002.00000003.1010720289.00000000012DA000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000002.2135362994.000000000129C000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1010456185.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1010421026.0000000001361000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\SoftWare.exe1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: SoftWare.exe1.exe PID: 4600, type: MEMORYSTR
Source: Yara match File source: 2.2.SoftWare.exe1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SoftWare.exe1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2134397080.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: SoftWare.exe1.exe, 00000002.00000003.985030791.00000000012D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum
Source: SoftWare.exe1.exe, 00000002.00000003.985030791.00000000012D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: SoftWare.exe1.exe, 00000002.00000003.985030791.00000000012D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Liberty
Source: SoftWare.exe1.exe, 00000002.00000003.985030791.00000000012D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: SoftWare.exe1.exe, 00000002.00000003.985030791.00000000012D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: SoftWare.exe1.exe, 00000002.00000003.985030791.00000000012D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3
Source: SoftWare.exe1.exe, 00000002.00000003.985030791.00000000012D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Ethereum
Source: SoftWare.exe1.exe, 00000002.00000003.985030791.00000000012CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Directory queried: C:\Users\user\Documents\SQSJKEBWDT Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe Directory queried: C:\Users\user\Documents\SQSJKEBWDT Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000002.00000003.1010720289.00000000012DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.985320183.00000000012EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.985030791.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1010456185.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1010752102.00000000012EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.985152699.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SoftWare.exe1.exe PID: 4600, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: SoftWare.exe1.exe PID: 4600, type: MEMORYSTR
Source: Yara match File source: 2.2.SoftWare.exe1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SoftWare.exe1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2134397080.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.96.3
 citydisco.bet European Union
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
citydisco.bet 188.114.96.3 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
mrodularmall.top/aNzS false
    		high
    bugildbett.top/bAuz false
      		high
      jowinjoinery.icu/bdWUa false
        		high
        legenassedk.top/bdpWO false
          		high
          citydisco.bet/gdJIS false
            		high
            htardwarehu.icu/Sbdsa false
              		high
              https://citydisco.bet/gdJIS false
                		high
                crosshairc.life/dAnjhw true
                • Avira URL Cloud: malware
                		 unknown
                cjlaspcorne.icu/DbIps false
                  		high