Windows Analysis Report
SoftWare(2).exe1.exe

Overview

General Information

Sample name:	SoftWare(2).exe1.exe
Analysis ID:	1637269
MD5:	3312164cbdf37c1dfb5d1b3f5d9c9863
SHA1:	e3e8ae938c16655b4058089b856b070434384fa6
SHA256:	d88aa5595bef3c5e49ab6a408d9a15114496936e1231aced7d55a4f2052d083d
Tags:	exeuser-TornadoAV_dev
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://citydisco.bet:443/gdJIS	Avira URL Cloud: Label: malware
Source: crosshairc.life/dAnjhw	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000002.00000002.1358798719.0000000000B93000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["citydisco.bet/gdJIS", "crosshairc.life/dAnjhw", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"]}

Multi AV Scanner detection for submitted file

Source: SoftWare(2).exe1.exe

Virustotal: Detection: 45%

Perma Link

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.1358798719.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	String decryptor: citydisco.bet/gdJIS
Source: 00000002.00000002.1358798719.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	String decryptor: crosshairc.life/dAnjhw
Source: 00000002.00000002.1358798719.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	String decryptor: mrodularmall.top/aNzS
Source: 00000002.00000002.1358798719.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	String decryptor: jowinjoinery.icu/bdWUa
Source: 00000002.00000002.1358798719.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	String decryptor: legenassedk.top/bdpWO
Source: 00000002.00000002.1358798719.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	String decryptor: htardwarehu.icu/Sbdsa
Source: 00000002.00000002.1358798719.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cjlaspcorne.icu/DbIps
Source: 00000002.00000002.1358798719.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	String decryptor: bugildbett.top/bAuz

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0041C378 CryptUnprotectData,CryptUnprotectData,		4_2_0041C378
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0041B570 CryptUnprotectData,		4_2_0041B570

Uses 32bit PE files

Source: SoftWare(2).exe1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49726 version: TLS 1.2

Source: SoftWare(2).exe1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00E08ECE FindFirstFileExW,	2_2_00E08ECE
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00E08F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00E08F7F
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00E08ECE FindFirstFileExW,	4_2_00E08ECE
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00E08F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	4_2_00E08F7F

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+000001E8h]	4_2_00412042
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx]	4_2_0044D090
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-0CA48CCCh]	4_2_0042E9A0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov word ptr [ecx], dx	4_2_004119BB
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+0Ch]	4_2_00420A00
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-77E6050Eh]	4_2_00420A00
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov edx, ecx	4_2_0044CAF0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov byte ptr [esi], cl	4_2_00435B69
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov byte ptr [esi], al	4_2_00435B69
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+2BB14466h]	4_2_00435B69
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-77E6040Ah]	4_2_0041B570
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+72h]	4_2_0041B570
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-6D882F28h]	4_2_0041B570
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then inc ebx	4_2_00401040
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov byte ptr [ecx], al	4_2_00411040
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov word ptr [eax], dx	4_2_0041A870
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov dword ptr [esp+08h], eax	4_2_0041A870
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C0F3A0E1h	4_2_0041A870
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	4_2_0043282C
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	4_2_004328C8
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov word ptr [ebp+00h], cx	4_2_004288D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+74h]	4_2_0042C0D1
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov eax, ebx	4_2_00431160
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	4_2_00440900
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov byte ptr [esi], cl	4_2_00436917
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then cmp word ptr [edi+ecx+02h], 0000h	4_2_0040EA7C
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov ecx, ebx	4_2_0040C200
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov ebx, eax	4_2_00408A10
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-0CA48CCCh]	4_2_0042E2C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov byte ptr [ecx], al	4_2_004372F5
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	4_2_0040A350
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	4_2_0040A350
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 61A44046h	4_2_0041CB18
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-77E6053Ah]	4_2_00448320
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movsx edx, byte ptr [ebp+ebx+00h]	4_2_0044AB23
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	4_2_0044B330
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then jmp ecx	4_2_0044B330
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov byte ptr [edx], al	4_2_004383C6
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_0040C3D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	4_2_0044B3D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then jmp ecx	4_2_0044B3D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax]	4_2_00428380
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	4_2_0041A390
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov byte ptr [ecx], al	4_2_00438452
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-612193E0h]	4_2_00431460
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	4_2_0044B460
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then jmp ecx	4_2_0044B460
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+14h]	4_2_0040D4C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	4_2_0044D4E0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	4_2_00432CF0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov esi, ecx	4_2_00430522
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+6851E954h]	4_2_00427DC0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov edi, esi	4_2_00427DC0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-58962266h]	4_2_0042EDF0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax-77E6053Ah]	4_2_00445580
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+000002B0h]	4_2_0041F642
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1ED597A4h	4_2_00447E40
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov byte ptr [ebx], cl	4_2_00434E68
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov byte ptr [edx], al	4_2_00437E14
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov word ptr [eax], dx	4_2_0041EEE2
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+04h]	4_2_0044A6F0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov eax, ebx	4_2_00430E89
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-0CA48CCCh]	4_2_0042DF70
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+4EC5F092h]	4_2_0042BF00
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov word ptr [eax], dx	4_2_0041D01D
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+481F046Fh]	4_2_00423F10
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov esi, ecx	4_2_00430724
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-22399302h]	4_2_0040C730
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	4_2_0041A7B0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 7A542AABh	4_2_0044C7B0

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: citydisco.bet/gdJIS
Source: Malware configuration extractor	URLs: crosshairc.life/dAnjhw
Source: Malware configuration extractor	URLs: mrodularmall.top/aNzS
Source: Malware configuration extractor	URLs: jowinjoinery.icu/bdWUa
Source: Malware configuration extractor	URLs: legenassedk.top/bdpWO
Source: Malware configuration extractor	URLs: htardwarehu.icu/Sbdsa
Source: Malware configuration extractor	URLs: cjlaspcorne.icu/DbIps
Source: Malware configuration extractor	URLs: bugildbett.top/bAuz

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /conhost.exe HTTP/1.1Connection: Keep-AliveHost: 185.215.113.51

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 185.215.113.51 185.215.113.51

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49718 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49719 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49724 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49720 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49722 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49721 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49726 -> 188.114.97.3:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 67Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5CEAHR39eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19592Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CGeyHTI7bbTd9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8769Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=buU39pNjnUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20407Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9Xc17ag4fOi8gKd7mMUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2450Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BF6y4lIf5N61ZHiN3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 550959Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 105Host: citydisco.bet

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /conhost.exe HTTP/1.1Connection: Keep-AliveHost: 185.215.113.51

Source: global traffic

DNS traffic detected: DNS query: citydisco.bet

Source: unknown

HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 67Host: citydisco.bet

Source: SoftWare(2).exe1.exe, 00000004.00000002.2595399499.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.2161497326.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/
Source: SoftWare(2).exe1.exe, 00000004.00000002.2594773980.000000000093B000.00000004.00000010.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000002.2595399499.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000002.2595372216.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.2161497326.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/conhost.exe
Source: SoftWare(2).exe1.exe, 00000004.00000002.2595474756.0000000000AC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/conhost.exe)
Source: SoftWare(2).exe1.exe, 00000004.00000002.2595399499.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.2161497326.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/conhost.exeEM
Source: SoftWare(2).exe1.exe, 00000004.00000003.2162805840.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000002.2595016861.0000000000A37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51:80/conhost.exe
Source: SoftWare(2).exe1.exe, 00000004.00000003.1433761674.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: SoftWare(2).exe1.exe, 00000004.00000003.1433761674.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: SoftWare(2).exe1.exe, 00000004.00000003.1433761674.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: SoftWare(2).exe1.exe, 00000004.00000003.1433761674.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: SoftWare(2).exe1.exe, 00000004.00000003.1433761674.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: SoftWare(2).exe1.exe, 00000004.00000003.1433761674.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: SoftWare(2).exe1.exe, 00000004.00000003.1433761674.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: SoftWare(2).exe1.exe, 00000004.00000003.1433761674.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: SoftWare(2).exe1.exe, 00000004.00000003.1433761674.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: SoftWare(2).exe1.exe, 00000004.00000003.1433761674.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: SoftWare(2).exe1.exe, 00000004.00000003.1433761674.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: SoftWare(2).exe1.exe, 00000004.00000003.1386923547.0000000003518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: SoftWare(2).exe1.exe, 00000004.00000003.1435235093.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: SoftWare(2).exe1.exe, 00000004.00000003.1435235093.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: SoftWare(2).exe1.exe, 00000004.00000003.1386923547.0000000003518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SoftWare(2).exe1.exe, 00000004.00000003.1386923547.0000000003518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SoftWare(2).exe1.exe, 00000004.00000003.1386923547.0000000003518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SoftWare(2).exe1.exe, 00000004.00000003.1484920771.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/
Source: SoftWare(2).exe1.exe, 00000004.00000002.2595474756.0000000000AC4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.1410987437.0000000000AE9000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.1410866234.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJIS
Source: SoftWare(2).exe1.exe, 00000004.00000003.1387446253.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISOCKTP
Source: SoftWare(2).exe1.exe, 00000004.00000003.1410956632.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.1387446253.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.1410987437.0000000000AE9000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.1410866234.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISgI19r
Source: SoftWare(2).exe1.exe, 00000004.00000002.2595474756.0000000000AC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISs
Source: SoftWare(2).exe1.exe, 00000004.00000002.2595399499.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.2161497326.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/k
Source: SoftWare(2).exe1.exe, 00000004.00000003.1530102185.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.1485231679.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.2162805840.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.1461385869.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000002.2595016861.0000000000A37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet:443/gdJIS
Source: SoftWare(2).exe1.exe, 00000004.00000003.1530102185.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.1485231679.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.2162805840.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.1461385869.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000002.2595016861.0000000000A37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet:443/gdJISY
Source: SoftWare(2).exe1.exe, 00000004.00000003.1435235093.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: SoftWare(2).exe1.exe, 00000004.00000003.1435235093.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: SoftWare(2).exe1.exe, 00000004.00000003.1386923547.0000000003518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SoftWare(2).exe1.exe, 00000004.00000003.1386923547.0000000003518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: SoftWare(2).exe1.exe, 00000004.00000003.1386923547.0000000003518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SoftWare(2).exe1.exe, 00000004.00000003.1386923547.0000000003518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: SoftWare(2).exe1.exe, 00000004.00000003.1435235093.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: SoftWare(2).exe1.exe, 00000004.00000003.1434885120.000000000372B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: SoftWare(2).exe1.exe, 00000004.00000003.1434885120.000000000372B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: SoftWare(2).exe1.exe, 00000004.00000003.1435235093.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: SoftWare(2).exe1.exe, 00000004.00000003.1386923547.0000000003518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: SoftWare(2).exe1.exe, 00000004.00000003.1435235093.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: SoftWare(2).exe1.exe, 00000004.00000003.1386923547.0000000003518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: SoftWare(2).exe1.exe, 00000004.00000003.1434885120.000000000372B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: SoftWare(2).exe1.exe, 00000004.00000003.1434885120.000000000372B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: SoftWare(2).exe1.exe, 00000004.00000003.1434885120.000000000372B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: SoftWare(2).exe1.exe, 00000004.00000003.1434885120.000000000372B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: SoftWare(2).exe1.exe, 00000004.00000003.1434885120.000000000372B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49726 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Code function: 4_2_0043E7C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

4_2_0043E7C0

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Code function: 4_2_03311000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

4_2_03311000

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Code function: 4_2_0043E7C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

4_2_0043E7C0

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Code function: 4_2_0043F1BF GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

4_2_0043F1BF

Detected potential crypto function

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC31F0	2_2_00DC31F0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC3640	2_2_00DC3640
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF00D0	2_2_00DF00D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC8090	2_2_00DC8090
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD0890	2_2_00DD0890
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE3890	2_2_00DE3890
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF1890	2_2_00DF1890
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC4080	2_2_00DC4080
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DED080	2_2_00DED080
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC58A0	2_2_00DC58A0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDE0A0	2_2_00DDE0A0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD4040	2_2_00DD4040
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC6070	2_2_00DC6070
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DEF060	2_2_00DEF060
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF3813	2_2_00DF3813
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDC010	2_2_00DDC010
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC1000	2_2_00DC1000
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDA820	2_2_00DDA820
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD9020	2_2_00DD9020
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DEA020	2_2_00DEA020
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDB1E0	2_2_00DDB1E0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD6180	2_2_00DD6180
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DEF9B0	2_2_00DEF9B0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC4940	2_2_00DC4940
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDC940	2_2_00DDC940
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DCE170	2_2_00DCE170
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF3160	2_2_00DF3160
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE0110	2_2_00DE0110
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE9100	2_2_00DE9100
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00E0C908	2_2_00E0C908
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF2920	2_2_00DF2920
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DCF2D0	2_2_00DCF2D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD52C0	2_2_00DD52C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DEF2E0	2_2_00DEF2E0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD4290	2_2_00DD4290
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC2280	2_2_00DC2280
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE9AB0	2_2_00DE9AB0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DCEAA0	2_2_00DCEAA0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF6A54	2_2_00DF6A54
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE8A50	2_2_00DE8A50
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE0A10	2_2_00DE0A10
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE6A00	2_2_00DE6A00
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE8200	2_2_00DE8200
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC5220	2_2_00DC5220
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC9220	2_2_00DC9220
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE5220	2_2_00DE5220
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDF3D0	2_2_00DDF3D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD73F0	2_2_00DD73F0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC6390	2_2_00DC6390
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD3390	2_2_00DD3390
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDABA0	2_2_00DDABA0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE0350	2_2_00DE0350
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC8340	2_2_00DC8340
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DEEB40	2_2_00DEEB40
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDFB70	2_2_00DDFB70
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE1370	2_2_00DE1370
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DCC310	2_2_00DCC310
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DCB300	2_2_00DCB300
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DCE4C0	2_2_00DCE4C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD3CC0	2_2_00DD3CC0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDCCE0	2_2_00DDCCE0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD0490	2_2_00DD0490
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF3C90	2_2_00DF3C90
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC6C80	2_2_00DC6C80
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD6480	2_2_00DD6480
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE5480	2_2_00DE5480
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF2480	2_2_00DF2480
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC54A0	2_2_00DC54A0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE8450	2_2_00DE8450
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC2C40	2_2_00DC2C40
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDEC40	2_2_00DDEC40
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE8C40	2_2_00DE8C40
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF3477	2_2_00DF3477
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE5C60	2_2_00DE5C60
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00E01420	2_2_00E01420
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DFB41A	2_2_00DFB41A
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC5C20	2_2_00DC5C20
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DEF5D0	2_2_00DEF5D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF35C0	2_2_00DF35C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC9580	2_2_00DC9580
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DEDD80	2_2_00DEDD80
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD55B0	2_2_00DD55B0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DEEDB0	2_2_00DEEDB0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDDD50	2_2_00DDDD50
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DEFD50	2_2_00DEFD50
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD8540	2_2_00DD8540
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDD560	2_2_00DDD560
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD9500	2_2_00DD9500
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC7D30	2_2_00DC7D30
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DCF530	2_2_00DCF530
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DCAD30	2_2_00DCAD30
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD26F0	2_2_00DD26F0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF1EF0	2_2_00DF1EF0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD2E90	2_2_00DD2E90
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE8690	2_2_00DE8690
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF2E90	2_2_00DF2E90
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DEB680	2_2_00DEB680
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDC6A0	2_2_00DDC6A0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD7E50	2_2_00DD7E50
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC8640	2_2_00DC8640
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD6E40	2_2_00DD6E40
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC4660	2_2_00DC4660
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDB630	2_2_00DDB630
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE9630	2_2_00DE9630
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD7620	2_2_00DD7620
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD0E20	2_2_00DD0E20
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF0620	2_2_00DF0620
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC67D0	2_2_00DC67D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC9FF0	2_2_00DC9FF0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC1790	2_2_00DC1790
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD6790	2_2_00DD6790
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DCB780	2_2_00DCB780
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE0F80	2_2_00DE0F80
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00E0E782	2_2_00E0E782
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDFF70	2_2_00DDFF70
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE9F00	2_2_00DE9F00
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DCE730	2_2_00DCE730
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD9720	2_2_00DD9720
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042B00F	4_2_0042B00F
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00417170	4_2_00417170
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042E9A0	4_2_0042E9A0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00420A00	4_2_00420A00
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0044CAF0	4_2_0044CAF0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00443AB0	4_2_00443AB0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042B350	4_2_0042B350
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00447B50	4_2_00447B50
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00435B69	4_2_00435B69
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00412378	4_2_00412378
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0041C378	4_2_0041C378
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0040BB10	4_2_0040BB10
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0043638D	4_2_0043638D
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0041B570	4_2_0041B570
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0044BE70	4_2_0044BE70
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0041569F	4_2_0041569F
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00443EA0	4_2_00443EA0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00449F27	4_2_00449F27
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00401040	4_2_00401040
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00411040	4_2_00411040
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00443060	4_2_00443060
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0041A870	4_2_0041A870
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042C0C0	4_2_0042C0C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042C0D1	4_2_0042C0D1
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0044B0D0	4_2_0044B0D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042F0EB	4_2_0042F0EB
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00436917	4_2_00436917
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_004251F0	4_2_004251F0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0043225F	4_2_0043225F
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0043E260	4_2_0043E260
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00423A70	4_2_00423A70
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00408A10	4_2_00408A10
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0040BA30	4_2_0040BA30
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042E2C0	4_2_0042E2C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_004432C0	4_2_004432C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00444AD0	4_2_00444AD0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00402AB0	4_2_00402AB0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0040A350	4_2_0040A350
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0041CB18	4_2_0041CB18
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042FB19	4_2_0042FB19
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00434320	4_2_00434320
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00448320	4_2_00448320
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0044AB23	4_2_0044AB23
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0044B330	4_2_0044B330
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042BBC0	4_2_0042BBC0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0044C3C0	4_2_0044C3C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0044B3D0	4_2_0044B3D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_004163D8	4_2_004163D8
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0041E3DB	4_2_0041E3DB
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_004353D9	4_2_004353D9
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0040FBF0	4_2_0040FBF0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042A383	4_2_0042A383
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00428380	4_2_00428380
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0044BB80	4_2_0044BB80
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00445B90	4_2_00445B90
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00442BB1	4_2_00442BB1
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042045C	4_2_0042045C
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0044B460	4_2_0044B460
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0041DC1A	4_2_0041DC1A
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00424430	4_2_00424430
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00437439	4_2_00437439
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0040D4C0	4_2_0040D4C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0043E4F0	4_2_0043E4F0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00438490	4_2_00438490
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_004034B0	4_2_004034B0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0040AD50	4_2_0040AD50
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00409570	4_2_00409570
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0043BD70	4_2_0043BD70
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00407D10	4_2_00407D10
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00422D10	4_2_00422D10
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00416D3A	4_2_00416D3A
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00427DC0	4_2_00427DC0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0040CDD0	4_2_0040CDD0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0043C5ED	4_2_0043C5ED
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042EDF0	4_2_0042EDF0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0040B590	4_2_0040B590
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_004135B0	4_2_004135B0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00403E50	4_2_00403E50
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0043965A	4_2_0043965A
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00410670	4_2_00410670
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0041D610	4_2_0041D610
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042EE10	4_2_0042EE10
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00437E14	4_2_00437E14
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00441ED6	4_2_00441ED6
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00444ED0	4_2_00444ED0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00430E89	4_2_00430E89
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00426770	4_2_00426770
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042DF70	4_2_0042DF70
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042BF00	4_2_0042BF00
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0044171A	4_2_0044171A
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00423720	4_2_00423720
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00439F20	4_2_00439F20
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0040C730	4_2_0040C730
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00404732	4_2_00404732
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00448FC7	4_2_00448FC7
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_004457D0	4_2_004457D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0041FFE0	4_2_0041FFE0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0043B7E0	4_2_0043B7E0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00408FF0	4_2_00408FF0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042D7FD	4_2_0042D7FD
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0043DFB0	4_2_0043DFB0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0044C7B0	4_2_0044C7B0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF00D0	4_2_00DF00D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC8090	4_2_00DC8090
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD0890	4_2_00DD0890
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE3890	4_2_00DE3890
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF1890	4_2_00DF1890
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC4080	4_2_00DC4080
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DED080	4_2_00DED080
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC58A0	4_2_00DC58A0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDE0A0	4_2_00DDE0A0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD4040	4_2_00DD4040
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC6070	4_2_00DC6070
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DEF060	4_2_00DEF060
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF3813	4_2_00DF3813
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDC010	4_2_00DDC010
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC1000	4_2_00DC1000
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDA820	4_2_00DDA820
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD9020	4_2_00DD9020
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DEA020	4_2_00DEA020
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC31F0	4_2_00DC31F0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDB1E0	4_2_00DDB1E0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD6180	4_2_00DD6180
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DEF9B0	4_2_00DEF9B0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC4940	4_2_00DC4940
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDC940	4_2_00DDC940
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DCE170	4_2_00DCE170
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF3160	4_2_00DF3160
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE0110	4_2_00DE0110
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE9100	4_2_00DE9100
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00E0C908	4_2_00E0C908
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF2920	4_2_00DF2920
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DCF2D0	4_2_00DCF2D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD52C0	4_2_00DD52C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DEF2E0	4_2_00DEF2E0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD4290	4_2_00DD4290
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC2280	4_2_00DC2280
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE9AB0	4_2_00DE9AB0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DCEAA0	4_2_00DCEAA0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF6A54	4_2_00DF6A54
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE8A50	4_2_00DE8A50
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE0A10	4_2_00DE0A10
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE6A00	4_2_00DE6A00
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE8200	4_2_00DE8200
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC5220	4_2_00DC5220
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC9220	4_2_00DC9220
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE5220	4_2_00DE5220
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDF3D0	4_2_00DDF3D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD73F0	4_2_00DD73F0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC6390	4_2_00DC6390
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD3390	4_2_00DD3390
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDABA0	4_2_00DDABA0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE0350	4_2_00DE0350
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC8340	4_2_00DC8340
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DEEB40	4_2_00DEEB40
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDFB70	4_2_00DDFB70
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE1370	4_2_00DE1370
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DCC310	4_2_00DCC310
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DCB300	4_2_00DCB300
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DCE4C0	4_2_00DCE4C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD3CC0	4_2_00DD3CC0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDCCE0	4_2_00DDCCE0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD0490	4_2_00DD0490
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF3C90	4_2_00DF3C90
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC6C80	4_2_00DC6C80
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD6480	4_2_00DD6480
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE5480	4_2_00DE5480
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF2480	4_2_00DF2480
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC54A0	4_2_00DC54A0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE8450	4_2_00DE8450
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC2C40	4_2_00DC2C40
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDEC40	4_2_00DDEC40
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE8C40	4_2_00DE8C40
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF3477	4_2_00DF3477
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE5C60	4_2_00DE5C60
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00E01420	4_2_00E01420
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DFB41A	4_2_00DFB41A
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC5C20	4_2_00DC5C20
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DEF5D0	4_2_00DEF5D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF35C0	4_2_00DF35C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC9580	4_2_00DC9580
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DEDD80	4_2_00DEDD80
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD55B0	4_2_00DD55B0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DEEDB0	4_2_00DEEDB0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDDD50	4_2_00DDDD50
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DEFD50	4_2_00DEFD50
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD8540	4_2_00DD8540
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDD560	4_2_00DDD560
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD9500	4_2_00DD9500
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC7D30	4_2_00DC7D30
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DCF530	4_2_00DCF530
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DCAD30	4_2_00DCAD30
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD26F0	4_2_00DD26F0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF1EF0	4_2_00DF1EF0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD2E90	4_2_00DD2E90
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE8690	4_2_00DE8690
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF2E90	4_2_00DF2E90
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DEB680	4_2_00DEB680
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDC6A0	4_2_00DDC6A0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD7E50	4_2_00DD7E50
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC8640	4_2_00DC8640
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC3640	4_2_00DC3640
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD6E40	4_2_00DD6E40
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC4660	4_2_00DC4660
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDB630	4_2_00DDB630
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE9630	4_2_00DE9630
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD7620	4_2_00DD7620
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD0E20	4_2_00DD0E20
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF0620	4_2_00DF0620
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC67D0	4_2_00DC67D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC9FF0	4_2_00DC9FF0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC1790	4_2_00DC1790
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD6790	4_2_00DD6790
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DCB780	4_2_00DCB780
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE0F80	4_2_00DE0F80
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00E0E782	4_2_00E0E782
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDFF70	4_2_00DDFF70
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE9F00	4_2_00DE9F00
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DCE730	4_2_00DCE730
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD9720	4_2_00DD9720

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: String function: 0040B390 appears 43 times
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: String function: 00DF6F60 appears 102 times
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: String function: 00E04014 appears 34 times
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: String function: 00DFF1CC appears 46 times
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: String function: 0041A860 appears 95 times

PE / OLE file has an invalid certificate

Source: SoftWare(2).exe1.exe

Static PE information: invalid certificate

Uses 32bit PE files

Source: SoftWare(2).exe1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SoftWare(2).exe1.exe

Static PE information: Section: .bss ZLIB complexity 1.0003236607142858

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@1/2

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Code function: 4_2_00443EA0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

4_2_00443EA0

Source: SoftWare(2).exe1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SoftWare(2).exe1.exe, 00000004.00000003.1386465121.0000000003505000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SoftWare(2).exe1.exe

Virustotal: Detection: 45%

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

File read: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SoftWare(2).exe1.exe "C:\Users\user\Desktop\SoftWare(2).exe1.exe"
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Process created: C:\Users\user\Desktop\SoftWare(2).exe1.exe "C:\Users\user\Desktop\SoftWare(2).exe1.exe"
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Process created: C:\Users\user\Desktop\SoftWare(2).exe1.exe "C:\Users\user\Desktop\SoftWare(2).exe1.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: SoftWare(2).exe1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF711A push ecx; ret	2_2_00DF712D
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_004548BF push ss; iretd	4_2_004548DA
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF711A push ecx; ret	4_2_00DF712D

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

System information queried: FirmwareTableInformation

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Window / User API: threadDelayed 6379

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe TID: 7388	Thread sleep time: -210000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe TID: 5444	Thread sleep count: 6379 > 30			Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00E08ECE FindFirstFileExW,	2_2_00E08ECE
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00E08F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00E08F7F
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00E08ECE FindFirstFileExW,	4_2_00E08ECE
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00E08F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	4_2_00E08F7F

Source: SoftWare(2).exe1.exe, 00000004.00000003.1485032247.0000000000A59000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000002.2594922765.0000000000A1C000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.1461280809.0000000000A59000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000002.2595298145.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.2162189965.0000000000A59000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Code function: 4_2_00449710 LdrInitializeThunk,

4_2_00449710

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Code function: 2_2_00DF6DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_00DF6DE8

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Code function: 2_2_00E1F1B4 mov edi, dword ptr fs:[00000030h]

2_2_00E1F1B4

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Code function: 2_2_00E0490C GetProcessHeap,

2_2_00E0490C

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF6A2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00DF6A2C
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF6DDC SetUnhandledExceptionFilter,	2_2_00DF6DDC
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF6DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00DF6DE8
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DFEF1E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00DFEF1E
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF6A2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00DF6A2C
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF6DDC SetUnhandledExceptionFilter,	4_2_00DF6DDC
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF6DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00DF6DE8
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DFEF1E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00DFEF1E

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Code function: 2_2_00E1F1B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

2_2_00E1F1B4

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Memory written: C:\Users\user\Desktop\SoftWare(2).exe1.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Process created: C:\Users\user\Desktop\SoftWare(2).exe1.exe "C:\Users\user\Desktop\SoftWare(2).exe1.exe"

Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,	2_2_00E088F6
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: EnumSystemLocalesW,	2_2_00E088AB
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: EnumSystemLocalesW,	2_2_00E041F7
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00E0899D
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,	2_2_00E08AA3
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00E08238
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,	2_2_00E03CFC
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: EnumSystemLocalesW,	2_2_00E08489
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00E08524
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,	2_2_00E087D6
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: EnumSystemLocalesW,	2_2_00E08777
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,	4_2_00E088F6
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: EnumSystemLocalesW,	4_2_00E088AB
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: EnumSystemLocalesW,	4_2_00E041F7
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_00E0899D
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,	4_2_00E08AA3
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_00E08238
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,	4_2_00E03CFC
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: EnumSystemLocalesW,	4_2_00E08489
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_00E08524
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,	4_2_00E087D6
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: EnumSystemLocalesW,	4_2_00E08777

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Code function: 2_2_00DF7827 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_00DF7827

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: SoftWare(2).exe1.exe PID: 7352, type: MEMORYSTR
Source: Yara match	File source: 4.2.SoftWare(2).exe1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.SoftWare(2).exe1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2594571322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1358798719.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: SoftWare(2).exe1.exe, 00000004.00000003.1485921377.0000000000A69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: SoftWare(2).exe1.exe, 00000004.00000003.1485921377.0000000000A69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: SoftWare(2).exe1.exe, 00000004.00000003.1485921377.0000000000A69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: SoftWare(2).exe1.exe, 00000004.00000003.1461228467.0000000000AC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx LibertyE
Source: SoftWare(2).exe1.exe, 00000004.00000003.1461280809.0000000000A59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: SoftWare(2).exe1.exe, 00000004.00000003.1461385869.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: SoftWare(2).exe1.exe, 00000004.00000003.1484920771.0000000000AC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance#
Source: SoftWare(2).exe1.exe, 00000004.00000003.1485921377.0000000000A69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: SoftWare(2).exe1.exe, 00000004.00000003.1461228467.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: SoftWare(2).exe1.exe, 00000004.00000003.1461385869.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000004.00000003.1461447157.0000000000A69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1461280809.0000000000A59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SoftWare(2).exe1.exe PID: 7352, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: SoftWare(2).exe1.exe PID: 7352, type: MEMORYSTR
Source: Yara match	File source: 4.2.SoftWare(2).exe1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.SoftWare(2).exe1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2594571322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1358798719.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	citydisco.bet	European Union		13335	CLOUDFLARENETUS	false
185.215.113.51	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	false

Contacted Domains

Name	IP	Active
citydisco.bet	188.114.97.3	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
mrodularmall.top/aNzS	false		high
bugildbett.top/bAuz	false		high
jowinjoinery.icu/bdWUa	false		high
legenassedk.top/bdpWO	false		high
citydisco.bet/gdJIS	false		high
htardwarehu.icu/Sbdsa	false		high
https://citydisco.bet/gdJIS	false		high
crosshairc.life/dAnjhw	true	Avira URL Cloud: malware	unknown
cjlaspcorne.icu/DbIps	false		high

AV Detection

Antivirus detection for URL or domain

Source: https://citydisco.bet:443/gdJIS	Avira URL Cloud: Label: malware
Source: crosshairc.life/dAnjhw	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000002.00000002.1358798719.0000000000B93000.00000004.00000020.00020000.00000000.sdmp

Multi AV Scanner detection for submitted file

Source: SoftWare(2).exe1.exe

Virustotal: Detection: 45%

Perma Link

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.1358798719.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	String decryptor: citydisco.bet/gdJIS
Source: 00000002.00000002.1358798719.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	String decryptor: crosshairc.life/dAnjhw
Source: 00000002.00000002.1358798719.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	String decryptor: mrodularmall.top/aNzS
Source: 00000002.00000002.1358798719.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	String decryptor: jowinjoinery.icu/bdWUa
Source: 00000002.00000002.1358798719.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	String decryptor: legenassedk.top/bdpWO
Source: 00000002.00000002.1358798719.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	String decryptor: htardwarehu.icu/Sbdsa
Source: 00000002.00000002.1358798719.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cjlaspcorne.icu/DbIps
Source: 00000002.00000002.1358798719.0000000000B93000.00000004.00000020.00020000.00000000.sdmp	String decryptor: bugildbett.top/bAuz

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0041C378 CryptUnprotectData,CryptUnprotectData,		4_2_0041C378
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0041B570 CryptUnprotectData,		4_2_0041B570

Uses 32bit PE files

Source: SoftWare(2).exe1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49726 version: TLS 1.2

Source: SoftWare(2).exe1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00E08ECE FindFirstFileExW,	2_2_00E08ECE
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00E08F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00E08F7F
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00E08ECE FindFirstFileExW,	4_2_00E08ECE
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00E08F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	4_2_00E08F7F

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+000001E8h]	4_2_00412042
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx]	4_2_0044D090
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-0CA48CCCh]	4_2_0042E9A0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov word ptr [ecx], dx	4_2_004119BB
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+0Ch]	4_2_00420A00
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-77E6050Eh]	4_2_00420A00
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov edx, ecx	4_2_0044CAF0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov byte ptr [esi], cl	4_2_00435B69
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov byte ptr [esi], al	4_2_00435B69
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+2BB14466h]	4_2_00435B69
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-77E6040Ah]	4_2_0041B570
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+72h]	4_2_0041B570
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-6D882F28h]	4_2_0041B570
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then inc ebx	4_2_00401040
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov byte ptr [ecx], al	4_2_00411040
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov word ptr [eax], dx	4_2_0041A870
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov dword ptr [esp+08h], eax	4_2_0041A870
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C0F3A0E1h	4_2_0041A870
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	4_2_0043282C
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	4_2_004328C8
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov word ptr [ebp+00h], cx	4_2_004288D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+74h]	4_2_0042C0D1
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov eax, ebx	4_2_00431160
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	4_2_00440900
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov byte ptr [esi], cl	4_2_00436917
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then cmp word ptr [edi+ecx+02h], 0000h	4_2_0040EA7C
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov ecx, ebx	4_2_0040C200
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov ebx, eax	4_2_00408A10
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-0CA48CCCh]	4_2_0042E2C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov byte ptr [ecx], al	4_2_004372F5
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	4_2_0040A350
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	4_2_0040A350
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 61A44046h	4_2_0041CB18
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-77E6053Ah]	4_2_00448320
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movsx edx, byte ptr [ebp+ebx+00h]	4_2_0044AB23
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	4_2_0044B330
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then jmp ecx	4_2_0044B330
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov byte ptr [edx], al	4_2_004383C6
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_0040C3D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	4_2_0044B3D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then jmp ecx	4_2_0044B3D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax]	4_2_00428380
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	4_2_0041A390
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov byte ptr [ecx], al	4_2_00438452
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-612193E0h]	4_2_00431460
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	4_2_0044B460
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then jmp ecx	4_2_0044B460
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+14h]	4_2_0040D4C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	4_2_0044D4E0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	4_2_00432CF0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov esi, ecx	4_2_00430522
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+6851E954h]	4_2_00427DC0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov edi, esi	4_2_00427DC0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-58962266h]	4_2_0042EDF0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax-77E6053Ah]	4_2_00445580
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+000002B0h]	4_2_0041F642
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1ED597A4h	4_2_00447E40
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov byte ptr [ebx], cl	4_2_00434E68
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov byte ptr [edx], al	4_2_00437E14
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov word ptr [eax], dx	4_2_0041EEE2
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+04h]	4_2_0044A6F0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov eax, ebx	4_2_00430E89
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-0CA48CCCh]	4_2_0042DF70
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+4EC5F092h]	4_2_0042BF00
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov word ptr [eax], dx	4_2_0041D01D
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+481F046Fh]	4_2_00423F10
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then mov esi, ecx	4_2_00430724
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-22399302h]	4_2_0040C730
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	4_2_0041A7B0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 7A542AABh	4_2_0044C7B0

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: citydisco.bet/gdJIS
Source: Malware configuration extractor	URLs: crosshairc.life/dAnjhw
Source: Malware configuration extractor	URLs: mrodularmall.top/aNzS
Source: Malware configuration extractor	URLs: jowinjoinery.icu/bdWUa
Source: Malware configuration extractor	URLs: legenassedk.top/bdpWO
Source: Malware configuration extractor	URLs: htardwarehu.icu/Sbdsa
Source: Malware configuration extractor	URLs: cjlaspcorne.icu/DbIps
Source: Malware configuration extractor	URLs: bugildbett.top/bAuz

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /conhost.exe HTTP/1.1Connection: Keep-AliveHost: 185.215.113.51

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 185.215.113.51 185.215.113.51

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49718 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49719 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49724 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49720 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49722 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49721 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49726 -> 188.114.97.3:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 67Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5CEAHR39eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19592Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CGeyHTI7bbTd9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8769Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=buU39pNjnUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20407Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9Xc17ag4fOi8gKd7mMUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2450Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BF6y4lIf5N61ZHiN3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 550959Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 105Host: citydisco.bet

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.51
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /conhost.exe HTTP/1.1Connection: Keep-AliveHost: 185.215.113.51

Source: global traffic

DNS traffic detected: DNS query: citydisco.bet

Source: unknown

Source: SoftWare(2).exe1.exe, 00000004.00000002.2595399499.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.2161497326.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/
Source: SoftWare(2).exe1.exe, 00000004.00000002.2594773980.000000000093B000.00000004.00000010.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000002.2595399499.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000002.2595372216.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.2161497326.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/conhost.exe
Source: SoftWare(2).exe1.exe, 00000004.00000002.2595474756.0000000000AC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/conhost.exe)
Source: SoftWare(2).exe1.exe, 00000004.00000002.2595399499.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.2161497326.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51/conhost.exeEM
Source: SoftWare(2).exe1.exe, 00000004.00000003.2162805840.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000002.2595016861.0000000000A37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.51:80/conhost.exe
Source: SoftWare(2).exe1.exe, 00000004.00000003.1433761674.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: SoftWare(2).exe1.exe, 00000004.00000003.1433761674.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: SoftWare(2).exe1.exe, 00000004.00000003.1433761674.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: SoftWare(2).exe1.exe, 00000004.00000003.1433761674.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: SoftWare(2).exe1.exe, 00000004.00000003.1433761674.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: SoftWare(2).exe1.exe, 00000004.00000003.1433761674.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: SoftWare(2).exe1.exe, 00000004.00000003.1433761674.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: SoftWare(2).exe1.exe, 00000004.00000003.1433761674.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: SoftWare(2).exe1.exe, 00000004.00000003.1433761674.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: SoftWare(2).exe1.exe, 00000004.00000003.1433761674.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: SoftWare(2).exe1.exe, 00000004.00000003.1433761674.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: SoftWare(2).exe1.exe, 00000004.00000003.1386923547.0000000003518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: SoftWare(2).exe1.exe, 00000004.00000003.1435235093.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: SoftWare(2).exe1.exe, 00000004.00000003.1435235093.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: SoftWare(2).exe1.exe, 00000004.00000003.1386923547.0000000003518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SoftWare(2).exe1.exe, 00000004.00000003.1386923547.0000000003518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SoftWare(2).exe1.exe, 00000004.00000003.1386923547.0000000003518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SoftWare(2).exe1.exe, 00000004.00000003.1484920771.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/
Source: SoftWare(2).exe1.exe, 00000004.00000002.2595474756.0000000000AC4000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.1410987437.0000000000AE9000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.1410866234.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJIS
Source: SoftWare(2).exe1.exe, 00000004.00000003.1387446253.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISOCKTP
Source: SoftWare(2).exe1.exe, 00000004.00000003.1410956632.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.1387446253.0000000000ADB000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.1410987437.0000000000AE9000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.1410866234.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISgI19r
Source: SoftWare(2).exe1.exe, 00000004.00000002.2595474756.0000000000AC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISs
Source: SoftWare(2).exe1.exe, 00000004.00000002.2595399499.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.2161497326.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/k
Source: SoftWare(2).exe1.exe, 00000004.00000003.1530102185.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.1485231679.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.2162805840.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.1461385869.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000002.2595016861.0000000000A37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet:443/gdJIS
Source: SoftWare(2).exe1.exe, 00000004.00000003.1530102185.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.1485231679.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.2162805840.0000000000A35000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000003.1461385869.0000000000A34000.00000004.00000020.00020000.00000000.sdmp, SoftWare(2).exe1.exe, 00000004.00000002.2595016861.0000000000A37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet:443/gdJISY
Source: SoftWare(2).exe1.exe, 00000004.00000003.1435235093.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: SoftWare(2).exe1.exe, 00000004.00000003.1435235093.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: SoftWare(2).exe1.exe, 00000004.00000003.1386923547.0000000003518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SoftWare(2).exe1.exe, 00000004.00000003.1386923547.0000000003518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: SoftWare(2).exe1.exe, 00000004.00000003.1386923547.0000000003518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SoftWare(2).exe1.exe, 00000004.00000003.1386923547.0000000003518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: SoftWare(2).exe1.exe, 00000004.00000003.1435235093.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: SoftWare(2).exe1.exe, 00000004.00000003.1434885120.000000000372B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: SoftWare(2).exe1.exe, 00000004.00000003.1434885120.000000000372B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: SoftWare(2).exe1.exe, 00000004.00000003.1435235093.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: SoftWare(2).exe1.exe, 00000004.00000003.1386923547.0000000003518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: SoftWare(2).exe1.exe, 00000004.00000003.1435235093.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: SoftWare(2).exe1.exe, 00000004.00000003.1386923547.0000000003518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: SoftWare(2).exe1.exe, 00000004.00000003.1434885120.000000000372B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: SoftWare(2).exe1.exe, 00000004.00000003.1434885120.000000000372B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: SoftWare(2).exe1.exe, 00000004.00000003.1434885120.000000000372B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: SoftWare(2).exe1.exe, 00000004.00000003.1434885120.000000000372B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: SoftWare(2).exe1.exe, 00000004.00000003.1434885120.000000000372B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49726 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Code function: 4_2_0043E7C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

4_2_0043E7C0

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

4_2_03311000

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Code function: 4_2_0043E7C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

4_2_0043E7C0

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

4_2_0043F1BF

Detected potential crypto function

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC31F0	2_2_00DC31F0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC3640	2_2_00DC3640
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF00D0	2_2_00DF00D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC8090	2_2_00DC8090
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD0890	2_2_00DD0890
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE3890	2_2_00DE3890
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF1890	2_2_00DF1890
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC4080	2_2_00DC4080
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DED080	2_2_00DED080
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC58A0	2_2_00DC58A0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDE0A0	2_2_00DDE0A0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD4040	2_2_00DD4040
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC6070	2_2_00DC6070
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DEF060	2_2_00DEF060
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF3813	2_2_00DF3813
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDC010	2_2_00DDC010
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC1000	2_2_00DC1000
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDA820	2_2_00DDA820
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD9020	2_2_00DD9020
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DEA020	2_2_00DEA020
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDB1E0	2_2_00DDB1E0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD6180	2_2_00DD6180
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DEF9B0	2_2_00DEF9B0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC4940	2_2_00DC4940
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDC940	2_2_00DDC940
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DCE170	2_2_00DCE170
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF3160	2_2_00DF3160
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE0110	2_2_00DE0110
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE9100	2_2_00DE9100
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00E0C908	2_2_00E0C908
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF2920	2_2_00DF2920
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DCF2D0	2_2_00DCF2D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD52C0	2_2_00DD52C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DEF2E0	2_2_00DEF2E0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD4290	2_2_00DD4290
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC2280	2_2_00DC2280
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE9AB0	2_2_00DE9AB0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DCEAA0	2_2_00DCEAA0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF6A54	2_2_00DF6A54
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE8A50	2_2_00DE8A50
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE0A10	2_2_00DE0A10
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE6A00	2_2_00DE6A00
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE8200	2_2_00DE8200
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC5220	2_2_00DC5220
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC9220	2_2_00DC9220
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE5220	2_2_00DE5220
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDF3D0	2_2_00DDF3D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD73F0	2_2_00DD73F0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC6390	2_2_00DC6390
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD3390	2_2_00DD3390
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDABA0	2_2_00DDABA0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE0350	2_2_00DE0350
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC8340	2_2_00DC8340
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DEEB40	2_2_00DEEB40
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDFB70	2_2_00DDFB70
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE1370	2_2_00DE1370
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DCC310	2_2_00DCC310
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DCB300	2_2_00DCB300
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DCE4C0	2_2_00DCE4C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD3CC0	2_2_00DD3CC0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDCCE0	2_2_00DDCCE0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD0490	2_2_00DD0490
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF3C90	2_2_00DF3C90
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC6C80	2_2_00DC6C80
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD6480	2_2_00DD6480
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE5480	2_2_00DE5480
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF2480	2_2_00DF2480
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC54A0	2_2_00DC54A0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE8450	2_2_00DE8450
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC2C40	2_2_00DC2C40
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDEC40	2_2_00DDEC40
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE8C40	2_2_00DE8C40
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF3477	2_2_00DF3477
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE5C60	2_2_00DE5C60
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00E01420	2_2_00E01420
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DFB41A	2_2_00DFB41A
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC5C20	2_2_00DC5C20
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DEF5D0	2_2_00DEF5D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF35C0	2_2_00DF35C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC9580	2_2_00DC9580
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DEDD80	2_2_00DEDD80
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD55B0	2_2_00DD55B0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DEEDB0	2_2_00DEEDB0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDDD50	2_2_00DDDD50
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DEFD50	2_2_00DEFD50
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD8540	2_2_00DD8540
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDD560	2_2_00DDD560
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD9500	2_2_00DD9500
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC7D30	2_2_00DC7D30
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DCF530	2_2_00DCF530
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DCAD30	2_2_00DCAD30
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD26F0	2_2_00DD26F0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF1EF0	2_2_00DF1EF0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD2E90	2_2_00DD2E90
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE8690	2_2_00DE8690
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF2E90	2_2_00DF2E90
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DEB680	2_2_00DEB680
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDC6A0	2_2_00DDC6A0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD7E50	2_2_00DD7E50
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC8640	2_2_00DC8640
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD6E40	2_2_00DD6E40
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC4660	2_2_00DC4660
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDB630	2_2_00DDB630
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE9630	2_2_00DE9630
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD7620	2_2_00DD7620
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD0E20	2_2_00DD0E20
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF0620	2_2_00DF0620
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC67D0	2_2_00DC67D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC9FF0	2_2_00DC9FF0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DC1790	2_2_00DC1790
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD6790	2_2_00DD6790
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DCB780	2_2_00DCB780
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE0F80	2_2_00DE0F80
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00E0E782	2_2_00E0E782
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DDFF70	2_2_00DDFF70
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DE9F00	2_2_00DE9F00
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DCE730	2_2_00DCE730
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DD9720	2_2_00DD9720
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042B00F	4_2_0042B00F
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00417170	4_2_00417170
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042E9A0	4_2_0042E9A0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00420A00	4_2_00420A00
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0044CAF0	4_2_0044CAF0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00443AB0	4_2_00443AB0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042B350	4_2_0042B350
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00447B50	4_2_00447B50
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00435B69	4_2_00435B69
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00412378	4_2_00412378
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0041C378	4_2_0041C378
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0040BB10	4_2_0040BB10
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0043638D	4_2_0043638D
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0041B570	4_2_0041B570
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0044BE70	4_2_0044BE70
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0041569F	4_2_0041569F
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00443EA0	4_2_00443EA0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00449F27	4_2_00449F27
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00401040	4_2_00401040
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00411040	4_2_00411040
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00443060	4_2_00443060
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0041A870	4_2_0041A870
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042C0C0	4_2_0042C0C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042C0D1	4_2_0042C0D1
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0044B0D0	4_2_0044B0D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042F0EB	4_2_0042F0EB
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00436917	4_2_00436917
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_004251F0	4_2_004251F0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0043225F	4_2_0043225F
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0043E260	4_2_0043E260
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00423A70	4_2_00423A70
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00408A10	4_2_00408A10
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0040BA30	4_2_0040BA30
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042E2C0	4_2_0042E2C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_004432C0	4_2_004432C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00444AD0	4_2_00444AD0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00402AB0	4_2_00402AB0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0040A350	4_2_0040A350
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0041CB18	4_2_0041CB18
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042FB19	4_2_0042FB19
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00434320	4_2_00434320
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00448320	4_2_00448320
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0044AB23	4_2_0044AB23
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0044B330	4_2_0044B330
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042BBC0	4_2_0042BBC0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0044C3C0	4_2_0044C3C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0044B3D0	4_2_0044B3D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_004163D8	4_2_004163D8
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0041E3DB	4_2_0041E3DB
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_004353D9	4_2_004353D9
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0040FBF0	4_2_0040FBF0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042A383	4_2_0042A383
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00428380	4_2_00428380
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0044BB80	4_2_0044BB80
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00445B90	4_2_00445B90
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00442BB1	4_2_00442BB1
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042045C	4_2_0042045C
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0044B460	4_2_0044B460
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0041DC1A	4_2_0041DC1A
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00424430	4_2_00424430
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00437439	4_2_00437439
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0040D4C0	4_2_0040D4C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0043E4F0	4_2_0043E4F0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00438490	4_2_00438490
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_004034B0	4_2_004034B0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0040AD50	4_2_0040AD50
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00409570	4_2_00409570
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0043BD70	4_2_0043BD70
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00407D10	4_2_00407D10
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00422D10	4_2_00422D10
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00416D3A	4_2_00416D3A
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00427DC0	4_2_00427DC0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0040CDD0	4_2_0040CDD0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0043C5ED	4_2_0043C5ED
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042EDF0	4_2_0042EDF0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0040B590	4_2_0040B590
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_004135B0	4_2_004135B0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00403E50	4_2_00403E50
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0043965A	4_2_0043965A
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00410670	4_2_00410670
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0041D610	4_2_0041D610
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042EE10	4_2_0042EE10
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00437E14	4_2_00437E14
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00441ED6	4_2_00441ED6
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00444ED0	4_2_00444ED0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00430E89	4_2_00430E89
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00426770	4_2_00426770
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042DF70	4_2_0042DF70
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042BF00	4_2_0042BF00
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0044171A	4_2_0044171A
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00423720	4_2_00423720
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00439F20	4_2_00439F20
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0040C730	4_2_0040C730
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00404732	4_2_00404732
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00448FC7	4_2_00448FC7
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_004457D0	4_2_004457D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0041FFE0	4_2_0041FFE0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0043B7E0	4_2_0043B7E0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00408FF0	4_2_00408FF0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0042D7FD	4_2_0042D7FD
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0043DFB0	4_2_0043DFB0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_0044C7B0	4_2_0044C7B0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF00D0	4_2_00DF00D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC8090	4_2_00DC8090
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD0890	4_2_00DD0890
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE3890	4_2_00DE3890
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF1890	4_2_00DF1890
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC4080	4_2_00DC4080
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DED080	4_2_00DED080
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC58A0	4_2_00DC58A0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDE0A0	4_2_00DDE0A0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD4040	4_2_00DD4040
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC6070	4_2_00DC6070
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DEF060	4_2_00DEF060
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF3813	4_2_00DF3813
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDC010	4_2_00DDC010
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC1000	4_2_00DC1000
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDA820	4_2_00DDA820
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD9020	4_2_00DD9020
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DEA020	4_2_00DEA020
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC31F0	4_2_00DC31F0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDB1E0	4_2_00DDB1E0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD6180	4_2_00DD6180
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DEF9B0	4_2_00DEF9B0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC4940	4_2_00DC4940
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDC940	4_2_00DDC940
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DCE170	4_2_00DCE170
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF3160	4_2_00DF3160
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE0110	4_2_00DE0110
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE9100	4_2_00DE9100
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00E0C908	4_2_00E0C908
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF2920	4_2_00DF2920
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DCF2D0	4_2_00DCF2D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD52C0	4_2_00DD52C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DEF2E0	4_2_00DEF2E0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD4290	4_2_00DD4290
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC2280	4_2_00DC2280
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE9AB0	4_2_00DE9AB0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DCEAA0	4_2_00DCEAA0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF6A54	4_2_00DF6A54
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE8A50	4_2_00DE8A50
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE0A10	4_2_00DE0A10
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE6A00	4_2_00DE6A00
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE8200	4_2_00DE8200
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC5220	4_2_00DC5220
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC9220	4_2_00DC9220
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE5220	4_2_00DE5220
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDF3D0	4_2_00DDF3D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD73F0	4_2_00DD73F0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC6390	4_2_00DC6390
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD3390	4_2_00DD3390
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDABA0	4_2_00DDABA0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE0350	4_2_00DE0350
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC8340	4_2_00DC8340
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DEEB40	4_2_00DEEB40
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDFB70	4_2_00DDFB70
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE1370	4_2_00DE1370
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DCC310	4_2_00DCC310
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DCB300	4_2_00DCB300
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DCE4C0	4_2_00DCE4C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD3CC0	4_2_00DD3CC0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDCCE0	4_2_00DDCCE0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD0490	4_2_00DD0490
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF3C90	4_2_00DF3C90
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC6C80	4_2_00DC6C80
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD6480	4_2_00DD6480
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE5480	4_2_00DE5480
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF2480	4_2_00DF2480
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC54A0	4_2_00DC54A0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE8450	4_2_00DE8450
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC2C40	4_2_00DC2C40
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDEC40	4_2_00DDEC40
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE8C40	4_2_00DE8C40
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF3477	4_2_00DF3477
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE5C60	4_2_00DE5C60
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00E01420	4_2_00E01420
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DFB41A	4_2_00DFB41A
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC5C20	4_2_00DC5C20
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DEF5D0	4_2_00DEF5D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF35C0	4_2_00DF35C0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC9580	4_2_00DC9580
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DEDD80	4_2_00DEDD80
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD55B0	4_2_00DD55B0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DEEDB0	4_2_00DEEDB0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDDD50	4_2_00DDDD50
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DEFD50	4_2_00DEFD50
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD8540	4_2_00DD8540
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDD560	4_2_00DDD560
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD9500	4_2_00DD9500
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC7D30	4_2_00DC7D30
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DCF530	4_2_00DCF530
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DCAD30	4_2_00DCAD30
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD26F0	4_2_00DD26F0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF1EF0	4_2_00DF1EF0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD2E90	4_2_00DD2E90
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE8690	4_2_00DE8690
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF2E90	4_2_00DF2E90
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DEB680	4_2_00DEB680
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDC6A0	4_2_00DDC6A0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD7E50	4_2_00DD7E50
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC8640	4_2_00DC8640
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC3640	4_2_00DC3640
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD6E40	4_2_00DD6E40
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC4660	4_2_00DC4660
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDB630	4_2_00DDB630
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE9630	4_2_00DE9630
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD7620	4_2_00DD7620
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD0E20	4_2_00DD0E20
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF0620	4_2_00DF0620
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC67D0	4_2_00DC67D0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC9FF0	4_2_00DC9FF0
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DC1790	4_2_00DC1790
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD6790	4_2_00DD6790
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DCB780	4_2_00DCB780
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE0F80	4_2_00DE0F80
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00E0E782	4_2_00E0E782
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DDFF70	4_2_00DDFF70
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DE9F00	4_2_00DE9F00
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DCE730	4_2_00DCE730
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DD9720	4_2_00DD9720

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: String function: 0040B390 appears 43 times
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: String function: 00DF6F60 appears 102 times
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: String function: 00E04014 appears 34 times
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: String function: 00DFF1CC appears 46 times
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: String function: 0041A860 appears 95 times

PE / OLE file has an invalid certificate

Source: SoftWare(2).exe1.exe

Static PE information: invalid certificate

Uses 32bit PE files

Source: SoftWare(2).exe1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SoftWare(2).exe1.exe

Static PE information: Section: .bss ZLIB complexity 1.0003236607142858

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@1/2

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

4_2_00443EA0

Source: SoftWare(2).exe1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SoftWare(2).exe1.exe, 00000004.00000003.1386465121.0000000003505000.00000004.00000800.00020000.00000000.sdmp

Source: SoftWare(2).exe1.exe

Virustotal: Detection: 45%

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

File read: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SoftWare(2).exe1.exe "C:\Users\user\Desktop\SoftWare(2).exe1.exe"
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Process created: C:\Users\user\Desktop\SoftWare(2).exe1.exe "C:\Users\user\Desktop\SoftWare(2).exe1.exe"
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Process created: C:\Users\user\Desktop\SoftWare(2).exe1.exe "C:\Users\user\Desktop\SoftWare(2).exe1.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: SoftWare(2).exe1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF711A push ecx; ret	2_2_00DF712D
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_004548BF push ss; iretd	4_2_004548DA
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF711A push ecx; ret	4_2_00DF712D

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

System information queried: FirmwareTableInformation

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Window / User API: threadDelayed 6379

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe TID: 7388	Thread sleep time: -210000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe TID: 5444	Thread sleep count: 6379 > 30			Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00E08ECE FindFirstFileExW,	2_2_00E08ECE
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00E08F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00E08F7F
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00E08ECE FindFirstFileExW,	4_2_00E08ECE
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00E08F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	4_2_00E08F7F

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Code function: 4_2_00449710 LdrInitializeThunk,

4_2_00449710

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Code function: 2_2_00DF6DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_00DF6DE8

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Code function: 2_2_00E1F1B4 mov edi, dword ptr fs:[00000030h]

2_2_00E1F1B4

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Code function: 2_2_00E0490C GetProcessHeap,

2_2_00E0490C

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF6A2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00DF6A2C
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF6DDC SetUnhandledExceptionFilter,	2_2_00DF6DDC
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DF6DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00DF6DE8
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 2_2_00DFEF1E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00DFEF1E
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF6A2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00DF6A2C
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF6DDC SetUnhandledExceptionFilter,	4_2_00DF6DDC
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DF6DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00DF6DE8
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: 4_2_00DFEF1E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00DFEF1E

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

2_2_00E1F1B4

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Memory written: C:\Users\user\Desktop\SoftWare(2).exe1.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Process created: C:\Users\user\Desktop\SoftWare(2).exe1.exe "C:\Users\user\Desktop\SoftWare(2).exe1.exe"

Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,	2_2_00E088F6
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: EnumSystemLocalesW,	2_2_00E088AB
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: EnumSystemLocalesW,	2_2_00E041F7
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00E0899D
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,	2_2_00E08AA3
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00E08238
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,	2_2_00E03CFC
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: EnumSystemLocalesW,	2_2_00E08489
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00E08524
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,	2_2_00E087D6
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: EnumSystemLocalesW,	2_2_00E08777
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,	4_2_00E088F6
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: EnumSystemLocalesW,	4_2_00E088AB
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: EnumSystemLocalesW,	4_2_00E041F7
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_00E0899D
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,	4_2_00E08AA3
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_00E08238
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,	4_2_00E03CFC
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: EnumSystemLocalesW,	4_2_00E08489
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_00E08524
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: GetLocaleInfoW,	4_2_00E087D6
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Code function: EnumSystemLocalesW,	4_2_00E08777

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Code function: 2_2_00DF7827 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_00DF7827

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: SoftWare(2).exe1.exe PID: 7352, type: MEMORYSTR
Source: Yara match	File source: 4.2.SoftWare(2).exe1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.SoftWare(2).exe1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2594571322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1358798719.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: SoftWare(2).exe1.exe, 00000004.00000003.1485921377.0000000000A69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: SoftWare(2).exe1.exe, 00000004.00000003.1485921377.0000000000A69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: SoftWare(2).exe1.exe, 00000004.00000003.1485921377.0000000000A69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: SoftWare(2).exe1.exe, 00000004.00000003.1461228467.0000000000AC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx LibertyE
Source: SoftWare(2).exe1.exe, 00000004.00000003.1461280809.0000000000A59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: SoftWare(2).exe1.exe, 00000004.00000003.1461385869.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: SoftWare(2).exe1.exe, 00000004.00000003.1484920771.0000000000AC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance#
Source: SoftWare(2).exe1.exe, 00000004.00000003.1485921377.0000000000A69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: SoftWare(2).exe1.exe, 00000004.00000003.1461228467.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: SoftWare(2).exe1.exe, 00000004.00000003.1461385869.0000000000A2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(2).exe1.exe	Directory queried: C:\Users\user\Documents\ZTGJILHXQB	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000004.00000003.1461447157.0000000000A69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1461280809.0000000000A59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SoftWare(2).exe1.exe PID: 7352, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: SoftWare(2).exe1.exe PID: 7352, type: MEMORYSTR
Source: Yara match	File source: 4.2.SoftWare(2).exe1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.SoftWare(2).exe1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2594571322.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1358798719.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

ID:	1637269
Product:	CloudBasic
Start time:	13:32:13
Start date:	13.03.2025
Sample:	SoftWare(2).exe1.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	3312164cbdf37c1dfb5d1b3f5d9c9863
SHA1:	e3e8ae938c16655b4058089b856b070434384fa6
SHA256:	d88aa5595bef3c5e49ab6a408d9a15114496936e1231aced7d55a4f2052d083d
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
SoftWare(2).exe1.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report SoftWare(2).exe1.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SoftWare(2).exe1.exe