Windows Analysis Report
SoftWare(2).exe

Overview

General Information

Sample name: SoftWare(2).exe
Analysis ID: 1532890
MD5: 7b0d68253d0ee4679ec73a41ca863991
SHA1: 6a8d7527f2299d700091d8dbfafc187162416e3c
SHA256: c6758c468acae7447f8f9b1a15039a30f4d4a18a15fede5fd8265fba9056be8e
Tags: exeuser-4k95m
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://steamcommunity.com/profiles/76561199724331900 URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/ URL Reputation: Label: malware
Found malware configuration
Source: 2.2.SoftWare(2).exe.400000.0.raw.unpack Malware Configuration Extractor: LummaC {"C2 url": ["drawwyobstacw.sbs", "mathcucom.sbs", "resinedyw.sbs", "enlargkiw.sbs", "ehticsprocw.sbs", "bleedminejw.buzz", "condifendteu.sbs", "vennurviot.sbs", "allocatinow.sbs"], "Build id": "LPnhqo--uoaywzyrlsoc"}
Multi AV Scanner detection for submitted file
Source: SoftWare(2).exe ReversingLabs: Detection: 42%
Source: SoftWare(2).exe Virustotal: Detection: 42% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability
Machine Learning detection for sample
Source: SoftWare(2).exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp String decryptor: drawwyobstacw.sbs
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp String decryptor: condifendteu.sbs
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp String decryptor: ehticsprocw.sbs
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp String decryptor: vennurviot.sbs
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp String decryptor: resinedyw.sbs
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp String decryptor: enlargkiw.sbs
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp String decryptor: allocatinow.sbs
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp String decryptor: mathcucom.sbs
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp String decryptor: bleedminejw.buzz
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp String decryptor: LPnhqo--uoaywzyrlsoc
Uses 32bit PE files
Source: SoftWare(2).exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.152.13:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.77.78:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.30.221:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.141.136:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: SoftWare(2).exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_00787B87 FindFirstFileExW, 0_2_00787B87
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00787B87 FindFirstFileExW, 2_2_00787B87
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SoftWare(2).exe_546ea742dd48f46178dbb2b915245098904dcb1_95a35aca_fd133525-3c5c-41ae-bc01-a4509b427ecd\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SoftWare(2).exe_99eff584d7ae45d9eb7f2942b6104d7821b2b7b5_2927e4e7_43c31aa8-2cfa-4cc4-9dd5-bf9c1b22ee4c\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov eax, ebx 0_2_007AA1CF
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov word ptr [esi], cx 0_2_007C01C0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov eax, ebx 0_2_007AA1B8
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov byte ptr [ecx], dl 0_2_007AC2A8
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx eax, byte ptr [ebx+edx+01h] 0_2_0079C296
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 8784CCDEh 0_2_007DE320
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov eax, edx 0_2_007CA3C8
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov edi, dword ptr [esp+08h] 0_2_0079C411
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 0_2_007A0520
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov byte ptr [ecx], dl 0_2_007AC5D5
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx edx, byte ptr [esi+eax+0000030Bh] 0_2_007CA430
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx edx, byte ptr [esi+eax+0000030Bh] 0_2_007CA620
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov eax, dword ptr [esp+10h] 0_2_007C46A1
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx esi, byte ptr [ebx+eax-5FF9D2BBh] 0_2_007C2780
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov esi, dword ptr [esp] 0_2_007A6850
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov esi, dword ptr [esp+edx*4+2Ch] 0_2_007A6850
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov byte ptr [edi], al 0_2_007CA844
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov byte ptr [edi], al 0_2_007CA847
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-3Fh] 0_2_007D8960
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then push eax 0_2_007DA940
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_007C8AE0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h 0_2_007DAB76
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-38B45DD5h] 0_2_007A8BF0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov ecx, eax 0_2_007C6C50
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov ebp, esi 0_2_007C6C50
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 0_2_007D6C10
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then xor byte ptr [esi+eax+00000404h], al 0_2_007CACE0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-104A1E79h] 0_2_007BACC6
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then cmp word ptr [ebx+ecx+02h], 0000h 0_2_007BACC6
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx ecx, byte ptr [esp+edi+000000B4h] 0_2_007B8C89
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then push 4ACBA761h 0_2_007A8D4C
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], BBE848DDh 0_2_007DED80
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 731CDBF3h 0_2_007C0E10
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then jmp eax 0_2_007D4F57
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 0_2_007C9000
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov edx, ecx 0_2_007DD000
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 55EAC941h 0_2_007DB1E4
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx+04h] 0_2_007C1270
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax+6FDFE1EEh] 0_2_007CB318
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+14h] 0_2_007B94E8
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then add ebp, dword ptr [esp+0Ch] 0_2_007C94C0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then jmp ecx 0_2_007DD494
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov byte ptr [edi], cl 0_2_007C5651
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov word ptr [eax], cx 0_2_007C1638
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov word ptr [eax], cx 0_2_007C1638
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx edi, bl 0_2_007DD600
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov byte ptr [edi], dl 0_2_007CB6C6
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx+6F11CE57h] 0_2_007A9870
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov word ptr [ecx], di 0_2_007BB8EF
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx edi, byte ptr [esp+edx+5EEC5E92h] 0_2_007DB899
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 62429966h 0_2_007BBBFD
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then cmp eax, edx 0_2_007BBBFD
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_007D1C20
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 62429966h 0_2_007BBCD0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then cmp eax, edx 0_2_007BBCD0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx eax, byte ptr [edx] 0_2_007DBD90
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov eax, ebx 0_2_007A7ED0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx edi, byte ptr [esp+edx] 0_2_007C3E90
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 0_2_007BFF60
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 55EAC941h 2_2_004402A4
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov byte ptr [ecx], dl 2_2_00411385
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx edi, byte ptr [esp+edx+5EEC5E92h] 2_2_00440762
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx+6F11CE57h] 2_2_0040E930
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h 2_2_0043FC36
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-38B45DD5h] 2_2_0040DCB0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov eax, ebx 2_2_0040EE60
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 2_2_00425020
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 2_2_0042E0C0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov edx, ecx 2_2_004420C0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then jmp ecx 2_2_004420C0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx edi, bl 2_2_004420C0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov word ptr [esi], cx 2_2_00425280
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov byte ptr [edi], cl 2_2_0042A292
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx eax, byte ptr [ebx+edx+01h] 2_2_00401356
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov byte ptr [ecx], dl 2_2_00411368
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx+04h] 2_2_00426330
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov word ptr [eax], cx 2_2_00426330
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov word ptr [eax], cx 2_2_00426330
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then jmp ecx 2_2_00442330
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx edi, bl 2_2_00442330
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 8784CCDEh 2_2_004433E0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov edi, dword ptr [esp+08h] 2_2_004014D1
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov eax, edx 2_2_0042F4F5
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx edx, byte ptr [esi+eax+0000030Bh] 2_2_0042F4F5
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov byte ptr [edi], al 2_2_0042F4F5
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then xor byte ptr [esi+eax+00000404h], al 2_2_0042F4F5
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax+6FDFE1EEh] 2_2_0042F4F5
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov eax, edx 2_2_0042F488
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx edi, bl 2_2_00442570
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 2_2_004055E0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then add ebp, dword ptr [esp+0Ch] 2_2_0042E580
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+14h] 2_2_0041E59E
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov byte ptr [ecx], dl 2_2_00411695
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov eax, dword ptr [esp+10h] 2_2_00429761
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov byte ptr [edi], dl 2_2_00430788
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx esi, byte ptr [ebx+eax-5FF9D2BBh] 2_2_00427840
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov esi, dword ptr [esp] 2_2_0040B910
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov esi, dword ptr [esp+edx*4+2Ch] 2_2_0040B910
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov word ptr [ecx], di 2_2_00420991
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov word ptr [ecx], di 2_2_004209A4
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then push eax 2_2_0043FA00
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-3Fh] 2_2_0043DA20
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then jmp ecx 2_2_00441B80
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx edi, bl 2_2_00441B80
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 2_2_0042DBA0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx ecx, byte ptr [esp+edi+000000B4h] 2_2_0041DCC6
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx eax, word ptr [esi+ecx] 2_2_0043BCD0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx ebx, byte ptr [edx] 2_2_00436CE0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-104A1E79h] 2_2_0041FCB0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then cmp word ptr [ebx+ecx+02h], 0000h 2_2_0041FCB0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov ecx, eax 2_2_0042BD10
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov ebp, esi 2_2_0042BD10
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then cmp dword ptr [edi+edx*8], 62429966h 2_2_00420D90
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then cmp eax, edx 2_2_00420D90
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], BBE848DDh 2_2_00443E40
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx eax, byte ptr [edx] 2_2_00440E50
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then push 4ACBA761h 2_2_0040DE0C
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then jmp ecx 2_2_00441EE0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx edi, bl 2_2_00441EE0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then jmp eax 2_2_00439E8A
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx edi, byte ptr [esp+edx] 2_2_00428F50
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then jmp ecx 2_2_00441FC0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then movzx edi, bl 2_2_00441FC0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 4x nop then mov eax, ebx 2_2_0040CF90

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056566 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enlargkiw .sbs) : 192.168.2.5:51533 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056568 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (allocatinow .sbs) : 192.168.2.5:65375 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056542 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bleedminejw .buzz) : 192.168.2.5:62342 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056564 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resinedyw .sbs) : 192.168.2.5:53169 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056567 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enlargkiw .sbs in TLS SNI) : 192.168.2.5:49708 -> 172.67.152.13:443
Source: Network traffic Suricata IDS: 2056571 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mathcucom .sbs in TLS SNI) : 192.168.2.5:49707 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2056570 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mathcucom .sbs) : 192.168.2.5:63308 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056558 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (condifendteu .sbs) : 192.168.2.5:64637 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056562 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vennurviot .sbs) : 192.168.2.5:61370 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056565 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (resinedyw .sbs in TLS SNI) : 192.168.2.5:49710 -> 104.21.77.78:443
Source: Network traffic Suricata IDS: 2056563 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vennurviot .sbs in TLS SNI) : 192.168.2.5:49713 -> 172.67.140.193:443
Source: Network traffic Suricata IDS: 2056556 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawwyobstacw .sbs) : 192.168.2.5:51276 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056560 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ehticsprocw .sbs) : 192.168.2.5:51801 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056561 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ehticsprocw .sbs in TLS SNI) : 192.168.2.5:49716 -> 104.21.30.221:443
Source: Network traffic Suricata IDS: 2056557 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawwyobstacw .sbs in TLS SNI) : 192.168.2.5:49719 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2056559 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (condifendteu .sbs in TLS SNI) : 192.168.2.5:49718 -> 172.67.141.136:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49708 -> 172.67.152.13:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49708 -> 172.67.152.13:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49719 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49720 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49719 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49710 -> 104.21.77.78:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49710 -> 104.21.77.78:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49716 -> 104.21.30.221:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49716 -> 104.21.30.221:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49707 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49722 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49707 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49713 -> 172.67.140.193:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49713 -> 172.67.140.193:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49718 -> 172.67.141.136:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49718 -> 172.67.141.136:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49722 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49721 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49721 -> 172.67.206.204:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: drawwyobstacw.sbs
Source: Malware configuration extractor URLs: mathcucom.sbs
Source: Malware configuration extractor URLs: resinedyw.sbs
Source: Malware configuration extractor URLs: enlargkiw.sbs
Source: Malware configuration extractor URLs: ehticsprocw.sbs
Source: Malware configuration extractor URLs: bleedminejw.buzz
Source: Malware configuration extractor URLs: condifendteu.sbs
Source: Malware configuration extractor URLs: vennurviot.sbs
Source: Malware configuration extractor URLs: allocatinow.sbs
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 172.67.152.13 172.67.152.13
Source: Joe Sandbox View IP Address: 104.21.30.221 104.21.30.221
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: AKAMAI-ASUS AKAMAI-ASUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mathcucom.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: enlargkiw.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: resinedyw.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vennurviot.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ehticsprocw.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condifendteu.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawwyobstacw.sbs
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=qEuMSc6rnoOw07.3fcU.Qak4OfZwqK1G3ybpwIQV99M-1728874927-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: sergei-esenin.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=b7cb8c6e88b4056fce0b5c76; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34837Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 14 Oct 2024 03:02:06 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: bleedminejw.buzz
Source: global traffic DNS traffic detected: DNS query: mathcucom.sbs
Source: global traffic DNS traffic detected: DNS query: allocatinow.sbs
Source: global traffic DNS traffic detected: DNS query: enlargkiw.sbs
Source: global traffic DNS traffic detected: DNS query: resinedyw.sbs
Source: global traffic DNS traffic detected: DNS query: vennurviot.sbs
Source: global traffic DNS traffic detected: DNS query: ehticsprocw.sbs
Source: global traffic DNS traffic detected: DNS query: condifendteu.sbs
Source: global traffic DNS traffic detected: DNS query: drawwyobstacw.sbs
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mathcucom.sbs
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: SoftWare(2).exe String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: SoftWare(2).exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SoftWare(2).exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SoftWare(2).exe String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: SoftWare(2).exe String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: SoftWare(2).exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SoftWare(2).exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SoftWare(2).exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SoftWare(2).exe String found in binary or memory: http://ocsp.digicert.com0
Source: SoftWare(2).exe String found in binary or memory: http://ocsp.digicert.com0A
Source: SoftWare(2).exe String found in binary or memory: http://ocsp.entrust.net02
Source: SoftWare(2).exe String found in binary or memory: http://ocsp.entrust.net03
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.5.dr String found in binary or memory: http://upx.sf.net
Source: SoftWare(2).exe String found in binary or memory: http://www.digicert.com/CPS0
Source: SoftWare(2).exe String found in binary or memory: http://www.entrust.net/rpa03
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic
Source: SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143949384.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143949384.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143949384.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143949384.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143949384.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143949384.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: SoftWare(2).exe, 00000002.00000003.2121876790.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://condifendteu.sbs/
Source: SoftWare(2).exe, 00000002.00000003.2121876790.0000000000F65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://condifendteu.sbs/api
Source: SoftWare(2).exe, 00000002.00000003.2121876790.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drawwyobstacw.sbs/
Source: SoftWare(2).exe, 00000002.00000003.2121876790.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2121876790.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drawwyobstacw.sbs/api
Source: SoftWare(2).exe, 00000002.00000003.2121876790.0000000000F80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drawwyobstacw.sbs:443/api
Source: SoftWare(2).exe, 00000002.00000003.2121876790.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ehticsprocw.sbs/api
Source: SoftWare(2).exe, 00000002.00000003.2121876790.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ehticsprocw.sbs/api07
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: SoftWare(2).exe, 00000002.00000003.2121876790.0000000000F4D000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143949384.0000000000F4D000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136733850.0000000000F4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mathcucom.sbs/api
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: SoftWare(2).exe, 00000002.00000003.2143800912.0000000000F64000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000002.2271764904.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/
Source: SoftWare(2).exe, 00000002.00000002.2271764904.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api
Source: SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api2
Source: SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api=
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: SoftWare(2).exe, 00000002.00000003.2121876790.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/Z-
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: SoftWare(2).exe, 00000002.00000003.2136523673.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: SoftWare(2).exe, 00000002.00000003.2143756828.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: SoftWare(2).exe, 00000002.00000003.2143800912.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-managction
Source: SoftWare(2).exe, 00000002.00000003.2143756828.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: SoftWare(2).exe String found in binary or memory: https://www.entrust.net/rpa0
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: SoftWare(2).exe, 00000002.00000003.2136431071.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143659601.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.152.13:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.77.78:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.140.193:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.30.221:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.141.136:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49722 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00434890 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 2_2_00434890
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00434890 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 2_2_00434890
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0043558E GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt, 2_2_0043558E
Detected potential crypto function
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007CE060 0_2_007CE060
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007DC120 0_2_007DC120
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007C01C0 0_2_007C01C0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_0079C1BF 0_2_0079C1BF
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_0077E190 0_2_0077E190
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007C4234 0_2_007C4234
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007D4290 0_2_007D4290
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_0079C296 0_2_0079C296
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_0079C35A 0_2_0079C35A
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007DE320 0_2_007DE320
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007D241A 0_2_007D241A
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007A84A0 0_2_007A84A0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007B85CF 0_2_007B85CF
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_0079E5C0 0_2_0079E5C0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007BC6F0 0_2_007BC6F0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007D8690 0_2_007D8690
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007DE690 0_2_007DE690
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007A2750 0_2_007A2750
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007C2780 0_2_007C2780
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007A6850 0_2_007A6850
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007A89A0 0_2_007A89A0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007DEA00 0_2_007DEA00
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007A4B39 0_2_007A4B39
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007B0B18 0_2_007B0B18
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007C4C70 0_2_007C4C70
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007C6C50 0_2_007C6C50
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007CACE0 0_2_007CACE0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007CACD6 0_2_007CACD6
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007BACC6 0_2_007BACC6
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007A4D60 0_2_007A4D60
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007BCDB0 0_2_007BCDB0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_00782D9D 0_2_00782D9D
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007DED80 0_2_007DED80
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_00786E51 0_2_00786E51
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007D8FC0 0_2_007D8FC0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007C8F88 0_2_007C8F88
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007C9000 0_2_007C9000
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007D30BF 0_2_007D30BF
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007A3120 0_2_007A3120
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007D5260 0_2_007D5260
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_0077B25E 0_2_0077B25E
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007A5220 0_2_007A5220
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007A7570 0_2_007A7570
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_0078B551 0_2_0078B551
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007C75D0 0_2_007C75D0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007A9870 0_2_007A9870
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007D3870 0_2_007D3870
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007B9840 0_2_007B9840
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007758F5 0_2_007758F5
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007A58B0 0_2_007A58B0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007DB899 0_2_007DB899
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007CBA18 0_2_007CBA18
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007D3AD0 0_2_007D3AD0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_00771AC2 0_2_00771AC2
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007C5AA1 0_2_007C5AA1
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007BBBFD 0_2_007BBBFD
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_00789BCD 0_2_00789BCD
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007BBCD0 0_2_007BBCD0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007A1D50 0_2_007A1D50
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007A5D40 0_2_007A5D40
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_0079FD00 0_2_0079FD00
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007C9D06 0_2_007C9D06
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_00771D0A 0_2_00771D0A
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_0079FD98 0_2_0079FD98
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007DDE10 0_2_007DDE10
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007C5EC0 0_2_007C5EC0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007C3E90 0_2_007C3E90
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0043A320 2_2_0043A320
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00440762 2_2_00440762
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0040E930 2_2_0040E930
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0040EE60 2_2_0040EE60
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00442ED0 2_2_00442ED0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00401000 2_2_00401000
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0042E0C0 2_2_0042E0C0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_004420C0 2_2_004420C0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_004270D8 2_2_004270D8
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0043E080 2_2_0043E080
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0043817F 2_2_0043817F
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00433120 2_2_00433120
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_004081E0 2_2_004081E0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_004411E0 2_2_004411E0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0040127F 2_2_0040127F
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0040A2E0 2_2_0040A2E0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_004292F4 2_2_004292F4
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00425280 2_2_00425280
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0042A292 2_2_0042A292
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_004292A0 2_2_004292A0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00439350 2_2_00439350
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00401356 2_2_00401356
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00426330 2_2_00426330
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00442330 2_2_00442330
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_004433E0 2_2_004433E0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0042B42B 2_2_0042B42B
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_004374DA 2_2_004374DA
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0042F4F5 2_2_0042F4F5
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0040D560 2_2_0040D560
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00442570 2_2_00442570
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0041D57E 2_2_0041D57E
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0040C630 2_2_0040C630
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0042EDC6 2_2_0042EDC6
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_004416E0 2_2_004416E0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00403680 2_2_00403680
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0042C690 2_2_0042C690
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0043D750 2_2_0043D750
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00443750 2_2_00443750
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00430788 2_2_00430788
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_004217B0 2_2_004217B0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00427840 2_2_00427840
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0042C690 2_2_0042C690
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0042E870 2_2_0042E870
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00407810 2_2_00407810
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0040A970 2_2_0040A970
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0041E900 2_2_0041E900
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0040B910 2_2_0040B910
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00438930 2_2_00438930
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0040DA60 2_2_0040DA60
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00411A18 2_2_00411A18
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00443AC0 2_2_00443AC0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0042AB2D 2_2_0042AB2D
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00415BD8 2_2_00415BD8
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00441B80 2_2_00441B80
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00438B90 2_2_00438B90
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0041DCC6 2_2_0041DCC6
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0041FCB0 2_2_0041FCB0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00404D70 2_2_00404D70
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0042BD10 2_2_0042BD10
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00429D30 2_2_00429D30
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0042EDC6 2_2_0042EDC6
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00439D8A 2_2_00439D8A
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00420D90 2_2_00420D90
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0042AD9A 2_2_0042AD9A
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00443E40 2_2_00443E40
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00421E70 2_2_00421E70
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0040AE00 2_2_0040AE00
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00406E10 2_2_00406E10
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00409E20 2_2_00409E20
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00441EE0 2_2_00441EE0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00439E8A 2_2_00439E8A
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00428F50 2_2_00428F50
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00441FC0 2_2_00441FC0
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_007758F5 2_2_007758F5
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0077E190 2_2_0077E190
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0077B25E 2_2_0077B25E
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00771AC2 2_2_00771AC2
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00789BCD 2_2_00789BCD
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0078B551 2_2_0078B551
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00771D0A 2_2_00771D0A
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00782D9D 2_2_00782D9D
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00786E51 2_2_00786E51
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: String function: 0040C430 appears 73 times
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: String function: 007A7370 appears 103 times
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: String function: 00781CFA appears 40 times
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: String function: 0041C410 appears 189 times
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: String function: 007B7350 appears 189 times
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: String function: 0077C1A5 appears 42 times
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: String function: 007761F0 appears 104 times
One or more processes crash
Source: C:\Users\user\Desktop\SoftWare(2).exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 308
PE / OLE file has an invalid certificate
Source: SoftWare(2).exe Static PE information: invalid certificate
Uses 32bit PE files
Source: SoftWare(2).exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SoftWare(2).exe Static PE information: Section: .data ZLIB complexity 0.9907404119318182
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/13@11/8
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00425020 CoCreateInstance, 2_2_00425020
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6096
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1708
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\5c56724c-d368-42cb-ace7-94fe3149d7f5 Jump to behavior
Source: SoftWare(2).exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SoftWare(2).exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SoftWare(2).exe ReversingLabs: Detection: 42%
Source: SoftWare(2).exe Virustotal: Detection: 42%
Source: C:\Users\user\Desktop\SoftWare(2).exe File read: C:\Users\user\Desktop\SoftWare(2).exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SoftWare(2).exe "C:\Users\user\Desktop\SoftWare(2).exe"
Source: C:\Users\user\Desktop\SoftWare(2).exe Process created: C:\Users\user\Desktop\SoftWare(2).exe "C:\Users\user\Desktop\SoftWare(2).exe"
Source: C:\Users\user\Desktop\SoftWare(2).exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 308
Source: C:\Users\user\Desktop\SoftWare(2).exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1656
Source: C:\Users\user\Desktop\SoftWare(2).exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1712
Source: C:\Users\user\Desktop\SoftWare(2).exe Process created: C:\Users\user\Desktop\SoftWare(2).exe "C:\Users\user\Desktop\SoftWare(2).exe" Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: SoftWare(2).exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SoftWare(2).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007CCCA1 push es; ret 0_2_007CCCA3
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007E1233 push FFFFFFD4h; iretd 0_2_007E1236
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007CD3BE push es; mov dword ptr [esp], eax 0_2_007CD3E2
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_0077570F push ecx; ret 0_2_00775722
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_00771F88 push eax; ret 0_2_00771FE4
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0044903D push FFFFFFD0h; retf 2_2_0044903F
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_004470F3 push FFFFFFD4h; iretd 2_2_004470F6
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0043247E push es; mov dword ptr [esp], eax 2_2_004324A2
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0044A5B4 push ebx; retf 0041h 2_2_0044A5B5
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0044A5B8 push ebx; retf 0041h 2_2_0044A5B9
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00431D61 push es; ret 2_2_00431D63
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0077570F push ecx; ret 2_2_00775722
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00771F88 push eax; ret 2_2_00771FE4
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\SoftWare(2).exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SoftWare(2).exe API coverage: 5.2 %
Source: C:\Users\user\Desktop\SoftWare(2).exe API coverage: 5.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SoftWare(2).exe TID: 3364 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SoftWare(2).exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_00787B87 FindFirstFileExW, 0_2_00787B87
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00787B87 FindFirstFileExW, 2_2_00787B87
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SoftWare(2).exe_546ea742dd48f46178dbb2b915245098904dcb1_95a35aca_fd133525-3c5c-41ae-bc01-a4509b427ecd\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SoftWare(2).exe_99eff584d7ae45d9eb7f2942b6104d7821b2b7b5_2927e4e7_43c31aa8-2cfa-4cc4-9dd5-bf9c1b22ee4c\ Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue Jump to behavior
Source: Amcache.hve.5.dr Binary or memory string: VMware
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: SoftWare(2).exe, 00000002.00000003.2121876790.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000002.2271764904.0000000000F80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW O
Source: SoftWare(2).exe, 00000002.00000003.2121876790.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2143800912.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000003.2136578311.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe, 00000002.00000002.2271764904.0000000000F80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: SoftWare(2).exe, 00000002.00000002.2271764904.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: Amcache.hve.5.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\SoftWare(2).exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SoftWare(2).exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0043A320 LdrInitializeThunk, 2_2_0043A320
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_0077BE0F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0077BE0F
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_00782B19 mov eax, dword ptr fs:[00000030h] 0_2_00782B19
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_00771FEA mov edi, dword ptr fs:[00000030h] 0_2_00771FEA
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_00782B5D mov eax, dword ptr fs:[00000030h] 0_2_00782B5D
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_0077F4C6 mov ecx, dword ptr fs:[00000030h] 0_2_0077F4C6
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00782B5D mov eax, dword ptr fs:[00000030h] 2_2_00782B5D
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00782B19 mov eax, dword ptr fs:[00000030h] 2_2_00782B19
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0077F4C6 mov ecx, dword ptr fs:[00000030h] 2_2_0077F4C6
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00771FEA mov edi, dword ptr fs:[00000030h] 2_2_00771FEA
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_0078ACE2 GetProcessHeap, 0_2_0078ACE2
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_00776120 SetUnhandledExceptionFilter, 0_2_00776120
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_00775C64 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00775C64
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_0077BE0F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0077BE0F
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_00775F93 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00775F93
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00776120 SetUnhandledExceptionFilter, 2_2_00776120
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00775C64 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00775C64
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_0077BE0F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0077BE0F
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 2_2_00775F93 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00775F93

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SoftWare(2).exe Memory written: C:\Users\user\Desktop\SoftWare(2).exe base: 400000 value starts with: 4D5A Jump to behavior
LummaC encrypted strings found
Source: SoftWare(2).exe String found in binary or memory: enlargkiw.sbs
Source: SoftWare(2).exe String found in binary or memory: allocatinow.sbs
Source: SoftWare(2).exe String found in binary or memory: mathcucom.sbs
Source: SoftWare(2).exe String found in binary or memory: bleedminejw.buzz
Source: SoftWare(2).exe String found in binary or memory: drawwyobstacw.sbs
Source: SoftWare(2).exe String found in binary or memory: condifendteu.sbs
Source: SoftWare(2).exe String found in binary or memory: ehticsprocw.sbs
Source: SoftWare(2).exe String found in binary or memory: vennurviot.sbs
Source: SoftWare(2).exe String found in binary or memory: resinedyw.sbs
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SoftWare(2).exe Process created: C:\Users\user\Desktop\SoftWare(2).exe "C:\Users\user\Desktop\SoftWare(2).exe" Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_0078A11C
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: EnumSystemLocalesW, 0_2_0078A3BE
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: EnumSystemLocalesW, 0_2_0078A409
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: EnumSystemLocalesW, 0_2_0078A4A4
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_0078A52F
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: GetLocaleInfoW, 0_2_0078A782
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_0078A8AB
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: GetLocaleInfoW, 0_2_0078A9B1
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_0078AA80
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: EnumSystemLocalesW, 0_2_00781A66
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: GetLocaleInfoW, 0_2_00781F50
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_0078A8AB
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 2_2_0078A11C
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: GetLocaleInfoW, 2_2_0078A9B1
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: EnumSystemLocalesW, 2_2_00781A66
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_0078AA80
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: EnumSystemLocalesW, 2_2_0078A3BE
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: EnumSystemLocalesW, 2_2_0078A409
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: EnumSystemLocalesW, 2_2_0078A4A4
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_0078A52F
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: GetLocaleInfoW, 2_2_00781F50
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: GetLocaleInfoW, 2_2_0078A782
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SoftWare(2).exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe Code function: 0_2_007751AF GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime, 0_2_007751AF
Source: C:\Users\user\Desktop\SoftWare(2).exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.5.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 2.2.SoftWare(2).exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SoftWare(2).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SoftWare(2).exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 2.2.SoftWare(2).exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.SoftWare(2).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SoftWare(2).exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2256462408.000000000079B000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2271390753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532890 Sample: SoftWare(2).exe Startdate: 14/10/2024 Architecture: WINDOWS Score: 100 28 vennurviot.sbs 2->28 30 steamcommunity.com 2->30 32 9 other IPs or domains 2->32 40 Suricata IDS alerts for network traffic 2->40 42 Found malware configuration 2->42 44 Antivirus detection for URL or domain 2->44 46 7 other signatures 2->46 8 SoftWare(2).exe 2->8         started        signatures3 process4 signatures5 48 Injects a PE file into a foreign processes 8->48 11 SoftWare(2).exe 8->11         started        14 WerFault.exe 19 16 8->14         started        process6 dnsIp7 34 ehticsprocw.sbs 104.21.30.221, 443, 49716 CLOUDFLARENETUS United States 11->34 36 resinedyw.sbs 104.21.77.78, 443, 49710 CLOUDFLARENETUS United States 11->36 38 6 other IPs or domains 11->38 17 WerFault.exe 4 16 11->17         started        20 WerFault.exe 16 11->20         started        26 C:\ProgramData\Microsoft\...\Report.wer, Unicode 14->26 dropped file8 process9 file10 22 C:\ProgramData\Microsoft\...\Report.wer, Unicode 17->22 dropped 24 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->24 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.97.3
 drawwyobstacw.sbs European Union
13335 CLOUDFLARENETUS true
172.67.152.13
 enlargkiw.sbs United States
13335 CLOUDFLARENETUS true
104.21.30.221
 ehticsprocw.sbs United States
13335 CLOUDFLARENETUS true
172.67.141.136
 condifendteu.sbs United States
13335 CLOUDFLARENETUS true
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS true
172.67.140.193
 vennurviot.sbs United States
13335 CLOUDFLARENETUS true
104.21.77.78
 resinedyw.sbs United States
13335 CLOUDFLARENETUS true
172.67.206.204
 sergei-esenin.com United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
condifendteu.sbs 172.67.141.136 true
steamcommunity.com 104.102.49.254 true
vennurviot.sbs 172.67.140.193 true
drawwyobstacw.sbs 188.114.97.3 true
mathcucom.sbs 188.114.97.3 true
sergei-esenin.com 172.67.206.204 true
ehticsprocw.sbs 104.21.30.221 true
resinedyw.sbs 104.21.77.78 true
enlargkiw.sbs 172.67.152.13 true
allocatinow.sbs unknown unknown
bleedminejw.buzz unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
enlargkiw.sbs true
    		unknown
    allocatinow.sbs true
      		unknown
      drawwyobstacw.sbs true
        		unknown
        mathcucom.sbs true
          		unknown
          https://steamcommunity.com/profiles/76561199724331900 true
          • URL Reputation: malware
          		 unknown
          https://vennurviot.sbs/api true
            		unknown
            ehticsprocw.sbs true
              		unknown
              condifendteu.sbs true
                		unknown
                https://drawwyobstacw.sbs/api true
                  		unknown
                  bleedminejw.buzz true
                    		unknown
                    https://resinedyw.sbs/api true
                      		unknown
                      https://mathcucom.sbs/api true
                        		unknown
                        resinedyw.sbs true
                          		unknown