Windows Analysis Report
cHAxMzM3_crypted_LAB.exe

Overview

General Information

Sample name: cHAxMzM3_crypted_LAB.exe
Analysis ID: 1601332
MD5: 64ba0e59257f84b7f699431930c5eef4
SHA1: 3ee1f223ecbd6bd88a858199c633444b8487535b
SHA256: 70e0464c584a1c3d5e735b1783cf5e8f734cf78013bb6dcef24bb8c1639c7b3b
Tags: exeuser-Pain1337
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
LummaC encrypted strings found
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to resolve many domain names, but no domain seems valid
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection

barindex
Source: cHAxMzM3_crypted_LAB.exe Avira: detected
Source: stingyerasjhru.click Avira URL Cloud: Label: malware
Source: 00000000.00000002.2197097390.0000000003D19000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: LummaC {"C2 url": ["nearycrepso.shop", "noisycuttej.shop", "cloudewahsj.shop", "rabidcowse.shop", "wholersorie.shop", "abruptyopsn.shop", "stingyerasjhru.click", "tirepublicerj.shop", "framekgirus.shop"], "Build id": "pqZnKP--cHAxMzM3"}
Source: cHAxMzM3_crypted_LAB.exe Virustotal: Detection: 65% Perma Link
Source: cHAxMzM3_crypted_LAB.exe ReversingLabs: Detection: 63%
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.0% probability
Source: cHAxMzM3_crypted_LAB.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00415CE3 CryptUnprotectData, 3_2_00415CE3
Source: cHAxMzM3_crypted_LAB.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49808 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49818 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49826 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49841 version: TLS 1.2
Source: cHAxMzM3_crypted_LAB.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: Handler.pdbxa source: cHAxMzM3_crypted_LAB.exe
Source: Binary string: System.Windows.Forms.pdb source: WER7703.tmp.dmp.6.dr
Source: Binary string: mscorlib.pdb source: WER7703.tmp.dmp.6.dr
Source: Binary string: System.ni.pdbRSDS source: WER7703.tmp.dmp.6.dr
Source: Binary string: mscorlib.ni.pdb source: WER7703.tmp.dmp.6.dr
Source: Binary string: System.pdb) source: WER7703.tmp.dmp.6.dr
Source: Binary string: Handler.pdb source: cHAxMzM3_crypted_LAB.exe, WER7703.tmp.dmp.6.dr
Source: Binary string: System.Windows.Forms.pdb\ source: WER7703.tmp.dmp.6.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER7703.tmp.dmp.6.dr
Source: Binary string: System.ni.pdb source: WER7703.tmp.dmp.6.dr
Source: Binary string: System.pdb source: WER7703.tmp.dmp.6.dr
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov edi, dword ptr [0044E7C0h] 3_2_0040EA40
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+54h] 3_2_0042FA70
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov ebx, edx 3_2_0040CB58
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h 3_2_00444380
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 27BE92A4h 3_2_00444380
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov byte ptr [eax], cl 3_2_0040E5C0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+01h] 3_2_00444DD0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 4B884A2Eh 3_2_00444DD0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then jmp ecx 3_2_00443860
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov ecx, eax 3_2_00429010
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_0041C8C0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov word ptr [ebx], cx 3_2_0041C0E0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+4Fh] 3_2_004428E5
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then movsx edx, byte ptr [esi+eax] 3_2_0041F160
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-49h] 3_2_0042A910
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 3_2_0043A120
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 53585096h 3_2_004281D0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then lea eax, dword ptr [esp+48h] 3_2_004281D0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then add ebp, dword ptr [esp+0Ch] 3_2_0042E1D0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then test esi, esi 3_2_0043E1E0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then jmp eax 3_2_004271F1
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then jmp ecx 3_2_00443980
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then movzx edx, byte ptr [ebp+00h] 3_2_00402990
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov edx, ebx 3_2_004221A0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then movzx ebx, bx 3_2_00427A55
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then jmp ecx 3_2_00443860
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then add ecx, 03h 3_2_0042B2D4
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then jmp ecx 3_2_0042C28A
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h 3_2_00440AA0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then jmp ecx 3_2_00443AB0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then movzx esi, word ptr [ecx] 3_2_00414B70
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov ebx, eax 3_2_00405B00
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov ebp, eax 3_2_00405B00
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h 3_2_00429B22
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h 3_2_0042A3CB
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov byte ptr [eax], bl 3_2_0040EBF6
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then movzx esi, byte ptr [esp+ebx+3215B430h] 3_2_0042FB80
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov byte ptr [edi], cl 3_2_0042FB80
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h 3_2_0043DB90
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000082h] 3_2_0042646B
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then jmp eax 3_2_0042646B
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov edx, eax 3_2_0041B4CC
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx-13E2C4EAh] 3_2_0041B4CC
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then jmp eax 3_2_004274D7
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov edx, ecx 3_2_00419CB0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov byte ptr [ebx], al 3_2_0042F569
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then movzx ecx, byte ptr [esi+ebx] 3_2_0042551E
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov byte ptr [ebx], cl 3_2_00430525
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov edi, edx 3_2_0043E5D0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then not eax 3_2_00415D9F
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov dword ptr [esp], eax 3_2_00415D9F
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov byte ptr [edi], cl 3_2_0041BDA9
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h 3_2_0042BDBA
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_00420E40
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h 3_2_0042BE47
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h] 3_2_00407660
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then movzx ecx, word ptr [edi+esi*4] 3_2_00407660
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h 3_2_00416E37
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov word ptr [ebp+00h], cx 3_2_0042AEF3
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 3_2_0042C680
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h 3_2_00416E37
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-38B0D97Ch] 3_2_00430E92
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov eax, ecx 3_2_00425EAF
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then cmp word ptr [ebp+eax+00h], 0000h 3_2_00414F00
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov ebp, dword ptr [esp+24h] 3_2_00414F00
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h 3_2_00414F00
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov ecx, eax 3_2_0042F79E
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov byte ptr [ebx], cl 3_2_00430FDD
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov ecx, eax 3_2_0042B7E0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov ecx, eax 3_2_00418F98
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then mov ecx, eax 3_2_0042F7A0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax+3AF4CF65h] 3_2_0042EFB1
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 4x nop then movzx edi, byte ptr [esp+eax+3AF4CF65h] 3_2_0042EFB7

Networking

barindex
Source: Network traffic Suricata IDS: 2058618 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (noisycuttej .shop) : 192.168.2.6:52992 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058632 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wholersorie .shop) : 192.168.2.6:57183 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058626 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stingyerasjhru .click) : 192.168.2.6:56583 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058598 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abruptyopsn .shop) : 192.168.2.6:59644 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058616 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nearycrepso .shop) : 192.168.2.6:59851 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058628 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tirepublicerj .shop) : 192.168.2.6:53136 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058606 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cloudewahsj .shop) : 192.168.2.6:52914 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058610 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (framekgirus .shop) : 192.168.2.6:51541 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2058622 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rabidcowse .shop) : 192.168.2.6:52256 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49718 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49714 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49714 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49709 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49712 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49712 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49841 -> 188.114.96.3:443
Source: Malware configuration extractor URLs: nearycrepso.shop
Source: Malware configuration extractor URLs: noisycuttej.shop
Source: Malware configuration extractor URLs: cloudewahsj.shop
Source: Malware configuration extractor URLs: rabidcowse.shop
Source: Malware configuration extractor URLs: wholersorie.shop
Source: Malware configuration extractor URLs: abruptyopsn.shop
Source: Malware configuration extractor URLs: stingyerasjhru.click
Source: Malware configuration extractor URLs: tirepublicerj.shop
Source: Malware configuration extractor URLs: framekgirus.shop
Source: unknown DNS traffic detected: query: 53.210.109.20.in-addr.arpa replaycode: Name error (3)
Source: unknown DNS traffic detected: query: nearycrepso.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: rabidcowse.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: tirepublicerj.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: cloudewahsj.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: 171.39.242.20.in-addr.arpa replaycode: Name error (3)
Source: unknown DNS traffic detected: query: wholersorie.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: framekgirus.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: noisycuttej.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: abruptyopsn.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: stingyerasjhru.click replaycode: Name error (3)
Source: global traffic TCP traffic: 192.168.2.6:60096 -> 162.159.36.2:53
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49712 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49709 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49728 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49818 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49718 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49714 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49841 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49826 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49808 -> 188.114.96.3:443
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: smiteattacekr.org
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 50Host: smiteattacekr.org
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=L0HKTNXMSLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12814Host: smiteattacekr.org
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=K5C31IBALSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15060Host: smiteattacekr.org
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KPQ42MDJFNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19918Host: smiteattacekr.org
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ES6UE09L8B8D2QK39User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2206Host: smiteattacekr.org
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9DT3UQT6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 571806Host: smiteattacekr.org
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 85Host: smiteattacekr.org
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: stingyerasjhru.click
Source: global traffic DNS traffic detected: DNS query: nearycrepso.shop
Source: global traffic DNS traffic detected: DNS query: abruptyopsn.shop
Source: global traffic DNS traffic detected: DNS query: wholersorie.shop
Source: global traffic DNS traffic detected: DNS query: framekgirus.shop
Source: global traffic DNS traffic detected: DNS query: tirepublicerj.shop
Source: global traffic DNS traffic detected: DNS query: noisycuttej.shop
Source: global traffic DNS traffic detected: DNS query: rabidcowse.shop
Source: global traffic DNS traffic detected: DNS query: cloudewahsj.shop
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: smiteattacekr.org
Source: global traffic DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
Source: global traffic DNS traffic detected: DNS query: 53.210.109.20.in-addr.arpa
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: smiteattacekr.org
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2398174758.00000000011CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/Ua
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2398174758.00000000011CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2397940840.0000000001130000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=eVGzFA1_2smb&a
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2398174758.00000000011CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2397940840.0000000001130000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2397940840.0000000001130000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=gi31XL_w
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2397940840.0000000001130000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=F357
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2397940840.000000000115E000.00000004.00000020.00020000.00000000.sdmp, cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2397940840.000000000118D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://smiteattacekr.org/
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2398174758.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2398598477.00000000038EA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smiteattacekr.org/api
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2398174758.00000000011DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://smiteattacekr.org/apih
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2397940840.000000000115E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://smiteattacekr.org/dS
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2398174758.00000000011CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geoname
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2398174758.00000000011CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2398174758.00000000011CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steamp
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49808 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49818 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49826 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49841 version: TLS 1.2
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00437CC0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard, 3_2_00437CC0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00437CC0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard, 3_2_00437CC0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00438BEF GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt, 3_2_00438BEF
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_004088B0 3_2_004088B0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_004259FC 3_2_004259FC
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0042FA70 3_2_0042FA70
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0043722D 3_2_0043722D
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0041123B 3_2_0041123B
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_004172AC 3_2_004172AC
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00428B40 3_2_00428B40
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0040B300 3_2_0040B300
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00444460 3_2_00444460
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00415CE3 3_2_00415CE3
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0040E5C0 3_2_0040E5C0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0043CDC0 3_2_0043CDC0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00444DD0 3_2_00444DD0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0043CFF0 3_2_0043CFF0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0040D7F4 3_2_0040D7F4
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0043C048 3_2_0043C048
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00406050 3_2_00406050
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00443860 3_2_00443860
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00444810 3_2_00444810
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_004098C0 3_2_004098C0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0041C8C0 3_2_0041C8C0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0041A8D0 3_2_0041A8D0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0041C0E0 3_2_0041C0E0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_004090F0 3_2_004090F0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00406880 3_2_00406880
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00437890 3_2_00437890
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00403940 3_2_00403940
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0042A910 3_2_0042A910
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_004281D0 3_2_004281D0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00443980 3_2_00443980
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0041D190 3_2_0041D190
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0040D197 3_2_0040D197
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_004221A0 3_2_004221A0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00443245 3_2_00443245
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00429245 3_2_00429245
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00427A55 3_2_00427A55
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00441260 3_2_00441260
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0041DA70 3_2_0041DA70
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0042820D 3_2_0042820D
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00443860 3_2_00443860
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_004202C9 3_2_004202C9
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00444AD0 3_2_00444AD0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0042B2D4 3_2_0042B2D4
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_004042F0 3_2_004042F0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_004262A0 3_2_004262A0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00412AB0 3_2_00412AB0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00443AB0 3_2_00443AB0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00443B40 3_2_00443B40
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0040F350 3_2_0040F350
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00402B50 3_2_00402B50
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00405B00 3_2_00405B00
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00440B10 3_2_00440B10
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00429B22 3_2_00429B22
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0041ABC0 3_2_0041ABC0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0042A3CB 3_2_0042A3CB
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00443BD0 3_2_00443BD0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_004063F0 3_2_004063F0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0040EBF6 3_2_0040EBF6
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00436BB7 3_2_00436BB7
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_004343B4 3_2_004343B4
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0042646B 3_2_0042646B
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00435410 3_2_00435410
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00409420 3_2_00409420
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00431420 3_2_00431420
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_004274D7 3_2_004274D7
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00424CE6 3_2_00424CE6
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0041DCF0 3_2_0041DCF0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0043C480 3_2_0043C480
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_004334B3 3_2_004334B3
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00419CB0 3_2_00419CB0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0041D500 3_2_0041D500
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00430525 3_2_00430525
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00432DD3 3_2_00432DD3
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0043E5D0 3_2_0043E5D0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0043DDE0 3_2_0043DDE0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00415D9F 3_2_00415D9F
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0040AE50 3_2_0040AE50
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00407660 3_2_00407660
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00404E20 3_2_00404E20
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00411E38 3_2_00411E38
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00443EC0 3_2_00443EC0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0043C6E0 3_2_0043C6E0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_004176FA 3_2_004176FA
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00414F00 3_2_00414F00
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0042FF09 3_2_0042FF09
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0042FF1F 3_2_0042FF1F
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00402F20 3_2_00402F20
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0040A733 3_2_0040A733
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_004127DD 3_2_004127DD
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00428FF0 3_2_00428FF0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00418F98 3_2_00418F98
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00429F9D 3_2_00429F9D
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_004207BA 3_2_004207BA
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: String function: 004081F0 appears 45 times
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: String function: 00414EF0 appears 113 times
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 916
Source: cHAxMzM3_crypted_LAB.exe, 00000000.00000000.2134830766.0000000000A08000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameHandler.exe0 vs cHAxMzM3_crypted_LAB.exe
Source: cHAxMzM3_crypted_LAB.exe, 00000000.00000002.2197097390.0000000003D19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameHandler.exe0 vs cHAxMzM3_crypted_LAB.exe
Source: cHAxMzM3_crypted_LAB.exe, 00000000.00000002.2196224087.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs cHAxMzM3_crypted_LAB.exe
Source: cHAxMzM3_crypted_LAB.exe Binary or memory string: OriginalFilenameHandler.exe0 vs cHAxMzM3_crypted_LAB.exe
Source: cHAxMzM3_crypted_LAB.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: cHAxMzM3_crypted_LAB.exe Static PE information: Section: .BSS ZLIB complexity 1.0003371646578538
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/5@13/2
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0043CFF0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW, 3_2_0043CFF0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3164
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\fbba78af-f14b-4711-af0b-18523f462359 Jump to behavior
Source: cHAxMzM3_crypted_LAB.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: cHAxMzM3_crypted_LAB.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: cHAxMzM3_crypted_LAB.exe Virustotal: Detection: 65%
Source: cHAxMzM3_crypted_LAB.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File read: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe "C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe"
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process created: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe "C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe"
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 916
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process created: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe "C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe" Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: cHAxMzM3_crypted_LAB.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: cHAxMzM3_crypted_LAB.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: cHAxMzM3_crypted_LAB.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Handler.pdbxa source: cHAxMzM3_crypted_LAB.exe
Source: Binary string: System.Windows.Forms.pdb source: WER7703.tmp.dmp.6.dr
Source: Binary string: mscorlib.pdb source: WER7703.tmp.dmp.6.dr
Source: Binary string: System.ni.pdbRSDS source: WER7703.tmp.dmp.6.dr
Source: Binary string: mscorlib.ni.pdb source: WER7703.tmp.dmp.6.dr
Source: Binary string: System.pdb) source: WER7703.tmp.dmp.6.dr
Source: Binary string: Handler.pdb source: cHAxMzM3_crypted_LAB.exe, WER7703.tmp.dmp.6.dr
Source: Binary string: System.Windows.Forms.pdb\ source: WER7703.tmp.dmp.6.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER7703.tmp.dmp.6.dr
Source: Binary string: System.ni.pdb source: WER7703.tmp.dmp.6.dr
Source: Binary string: System.pdb source: WER7703.tmp.dmp.6.dr
Source: cHAxMzM3_crypted_LAB.exe Static PE information: 0xB98C4C41 [Thu Aug 23 20:32:01 2068 UTC]
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 0_2_02BB266F push ebp; iretd 0_2_02BB26D5
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0042D513 push es; mov dword ptr [esp], eax 3_2_0042D51A
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0044BEFC push eax; retn 0042h 3_2_0044BEFD
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_0044BF00 push eax; retn 0042h 3_2_0044BF01
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Memory allocated: 2B70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Memory allocated: 2D10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Memory allocated: 4D10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe TID: 7060 Thread sleep time: -90000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe TID: 7060 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: Amcache.hve.6.dr Binary or memory string: VMware
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual USB Mouse
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2397940840.0000000001183000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWz
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2397940840.0000000001183000.00000004.00000020.00020000.00000000.sdmp, cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2397940840.0000000001130000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 3_2_00441FC0 LdrInitializeThunk, 3_2_00441FC0
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 0_2_02D17FA5 mov edi, dword ptr fs:[00000030h] 0_2_02D17FA5
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 0_2_02D18122 mov edi, dword ptr fs:[00000030h] 0_2_02D18122
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Code function: 0_2_02D17FA5 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 0_2_02D17FA5
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Memory written: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: cHAxMzM3_crypted_LAB.exe, 00000000.00000002.2197097390.0000000003D19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: cloudewahsj.shop
Source: cHAxMzM3_crypted_LAB.exe, 00000000.00000002.2197097390.0000000003D19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: rabidcowse.shop
Source: cHAxMzM3_crypted_LAB.exe, 00000000.00000002.2197097390.0000000003D19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: noisycuttej.shop
Source: cHAxMzM3_crypted_LAB.exe, 00000000.00000002.2197097390.0000000003D19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: tirepublicerj.shop
Source: cHAxMzM3_crypted_LAB.exe, 00000000.00000002.2197097390.0000000003D19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: framekgirus.shop
Source: cHAxMzM3_crypted_LAB.exe, 00000000.00000002.2197097390.0000000003D19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: wholersorie.shop
Source: cHAxMzM3_crypted_LAB.exe, 00000000.00000002.2197097390.0000000003D19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: abruptyopsn.shop
Source: cHAxMzM3_crypted_LAB.exe, 00000000.00000002.2197097390.0000000003D19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: nearycrepso.shop
Source: cHAxMzM3_crypted_LAB.exe, 00000000.00000002.2197097390.0000000003D19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: stingyerasjhru.click
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Process created: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe "C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe" Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Queries volume information: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2398690270.000000000398B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: les%\Windows Defender\MsMpeng.exe
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2397940840.0000000001142000.00000004.00000020.00020000.00000000.sdmp, cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2397940840.000000000118D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: MsMpEng.exe
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

barindex
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2397940840.000000000118D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum-LTC
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2397940840.000000000118D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2397940840.000000000118D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2398116018.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2397940840.000000000118D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2397940840.000000000118D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Ethereum
Source: cHAxMzM3_crypted_LAB.exe, 00000003.00000002.2398116018.00000000011C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Directory queried: C:\Users\user\Documents\GIGIYTFFYT Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Directory queried: C:\Users\user\Documents\GIGIYTFFYT Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\Desktop\cHAxMzM3_crypted_LAB.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior

Remote Access Functionality

barindex
Source: Yara match File source: sslproxydump.pcap, type: PCAP
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs